Pular para o conteúdo principal

How to Create Reports from Audit Logs Using ‘aureport’ on CentOS/RHEL

 

What is aureport?


aureport is a command line utility used for creating useful summary reports from the audit log files stored in /var/log/audit/. Like ausearch, it also accepts raw log data from stdin.
It is an easy-to-use utility; simply pass an option for a specific kind of report that you need, as shown in the examples below.

Create Report Concerning Audit Rule Keys

The aurepot command will produce a report about all keys you specified in audit rules, using the -k flag.

# aureport -k
Report Audit Rule Keys
Report Audit Rule Keys
You can enable interpreting of numeric entities into text (for example convert UID to account name) using the -i option.
# aureport -k -i

Create Report About Attempted Authentications

If you need a report about all events relating to attempted authentications for all users, use the -au option.

# aureport -au 
OR
# aureport -au -i
 
Summary of Login Authentication
Summary of Login Authentication

Produce Report Concerning Logins

The -l option tells aureport to generate a report of all logins as follows.

Check Login Authentications
Check Login Authentications

Report Failed Events on the System

The following command shows how to report all failed events.
# aureport --failed
 
Report Failed Events

Report Failed Events

Generate Summary Report for a Given Time Period

It is also possible to generate reports for a specified period of time; the -ts defines the start date/time and -te sets a end date/time. You can also use words like now, recent, today, yesterday, this-week, week-ago, this-month, this-year instead of actual time formats.
# aureport -ts 09/19/2017 15:20:00 -te now --summary -i 
OR
# aureport -ts yesterday -te now --summary -i
Generate a Summary Report

Generate a Summary Report

Produce report From Different Audit Log File

If you want to create a report from a different file other than the default log files in /var/log/audit directory, use the -if flag to specify the file.
This command reports all logins recorded in /var/log/tecmint/hosts/node1.log.
# aureport -l -if /var/log/tecmint/hosts/node1.log
You can find all options and more information in the aureport man page.
# man aureport

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Upgrading Iomega ix2-200 to Cloud Edition

You just got your ix2-200 from eBay and there are no disks inside the NAS. Or you have a brand new ix2-200 -yet you could not afford Cloud Edition. No problem. With just a USB stick and a SATA adapter or desktop PC, you will easily upgrade your ix2-200 to ix2-200 Cloud Edition. Not only your ix2-200 will have a brand new interface and Cloud options, but also will become Mac OS X Lion compatible! What do we need? Decrypted! ix2-200 Cloud Edition Firmware 3.1.12.47838 S endSpace or RapidShare * USB Flash Drive with at least 2 GB capacity and LED indicator** SATA to USB adapter or desktop PC Toothpick or paperclip Preparing Hard Drives Preparing hard drives is the first step because you have to wipe all the data inside the hard drives and make them just like brand new. We used 2 x Seagate 2 TB 5900 RPM Drives. Backup any files if you have and then remove both disks from ix2-200 and attach them to SATA to USB adapter or your desktop PC's SATA port. Using ...
Postar um comentário
Leia mais

How to Fix sub-process /usr/bin/dpkg returned an error code (1)

Introduction The error message “Sub-process /usr/bin/dpkg returned an error code (1)” indicates a problem with the package installer. This can happen in Ubuntu after a failed software installation, or if the installer becomes corrupted. The key phrase in this error is /usr/bin/dpkg. This refers to the dpkg package installer for Linux. A package installer is an application that tracks software, updates, and dependencies. If it is damaged, any new software installation will cause this error message. We cover several possible solutions, from easily-solved and straightforward solutions to more complex processes. This guide will help you resolve the dpkg returned an error code 1 on an Ubuntu operating system. Prerequisites A user account with sudo privileges A terminal window/command-line ( Ctrl - Alt - T ) Options to Fix sub-process /usr/bin/dpkg returned an error code (1) Method 1: Reconfigure dpkg Database ...
Postar um comentário
Leia mais