Re: How to read audit log?

On Tuesday 25 September 2007 09:21:59 Scott Ehrlich wrote: For the quick view of your system, use the aureport program. It can give you summary information and produce reports for various aspects like failed logins or denied file accesses. aureport --start this-month aureport --start this-week --login --failed -i aureport --start this-week --file --failed -i But there comes a time when you just want to see the raw information since there are more details. ausearch is the tool for this. It understands the format of the logs and should be used to look at the logs since it can do interpretation of the fields and glue individual records into events. ausearch --start today -i | less What each field means can be found in the audit parsing library specification: http://people.redhat.com/sgrubb/audit/audit-parse.txt It gives an overview of the records in the top portion before it gets to the functions in the library. ausearch is intended to be the audit log display tool. -Steve