aureport(8)
Generates audit framework reports from the Linux audit logs.
Synopsis
aureport [options] [--summary] [--detail]Description
aureport is a command-line tool that processes audit logs from the Linux Audit framework and generates human-readable reports. It can summarize audit events by type, user, executable, or other fields, and can filter reports by date range, event type, or other criteria.
By default, aureport generates a summary report. Use --detail to see individual events, or combine with field-specific options like --user, --file, or --executable to focus on particular audit subjects.
Common options
| Flag | What it does |
|---|---|
--summary | Generate summary report (default behavior) |
--detail | Show individual audit events with full details |
--user | Report on events by user (UID or username) |
--file | Report on file access and modification events |
--executable | Report on executed commands and programs |
--event | Report on specific event types |
--start | Start date for report (format: MM/DD/YYYY or today, recent) |
--end | End date for report (format: MM/DD/YYYY) |
--interpret | Convert numeric values to human-readable names |
-i | Shorthand for --interpret |
--input FILE | Read audit log from specified file instead of system log |
--output FILE | Write report output to specified file |
Examples
Display summary of all audit events by type
aureportShow detailed report with individual audit events
aureport --detailReport audit events grouped by user with human-readable names
aureport --user --interpretSummarize audit events by executable program run
aureport --executable --summaryReport file access events between specified dates
aureport --file --start 01/15/2024 --end 01/20/2024Generate event report from a specific audit log file
aureport --event --input /var/log/audit/audit.logShow last 50 detailed audit events for user 'bob' with readable output
aureport --detail --user bob --interpret | tail -50Generate summary report and save to file
aureport --summary --output report.txt