ausearch

linux

Query the Linux audit log for events. Part of the `audit` package. See also: `audit2why`, `audit2allow`, `aureport`.

Options (6)

-m, --messageboolean

Search for all SELinux AVC denial events

Example: sudo ausearch {{[-m|--message]}} avc

-c, --commboolean

Search for events related to a specific executable

Example: sudo ausearch {{[-c|--comm]}} {{httpd}}

--uidboolean

Search for events from a specific user

Example: sudo ausearch {{[-ui|--uid]}} {{1000}}

--startboolean

Search for events in the last 10 minutes

Example: sudo ausearch {{[-ts|--start]}} recent

--successboolean

Search for failed login attempts

Example: sudo ausearch {{[-m|--message]}} user_login {{[-sv|--success]}} no

-f, --fileboolean

Search for events related to a specific file

Example: sudo ausearch {{[-f|--file]}} {{path/to/file}}

Search for all SELinux AVC denial events

sudo ausearch [-m|--message] avc

Search for events related to a specific executable

sudo ausearch [-c|--comm] httpd

Search for events from a specific user

sudo ausearch [-ui|--uid] 1000

Search for events in the last 10 minutes

sudo ausearch [-ts|--start] recent

Search for failed login attempts

sudo ausearch [-m|--message] user_login [-sv|--success] no

Search for events related to a specific file

sudo ausearch [-f|--file] path/to/file

Display results in raw format for further processing

sudo ausearch [-m|--message] avc --raw