$linuxjunkies
>

ausearch(8)

Search the audit log for events matching specified criteria.

UbuntuDebianFedoraArch

Synopsis

ausearch [options] [--expression EXPR]

Description

ausearch queries the Linux audit daemon's log files to find and display audit events matching given search criteria. It can search by event type, user, process ID, system call, and many other attributes, making it essential for security analysis and troubleshooting.

Results are displayed as comma-separated field lists or in raw format, and can be piped to other tools for further analysis. ausearch supports complex boolean expressions and can reconstruct multi-event syscall records for detailed system call analysis.

Common options

FlagWhat it does
-k, --key KEYSearch for events with the specified audit key
-m, --message TYPESearch for events of the given message type (e.g., EXECVE, OPEN, CONNECT)
-ts TODAYStart search from today's date (or specify date in MM/DD/YYYY format)
-te RECENTSearch ending at a specific time (RECENT, TODAY, or MM/DD/YYYY HH:MM:SS)
-ui UIDSearch for events generated by the specified user ID
-pid PIDSearch for events with the specified process ID
-a, --allSearch all audit log files instead of just the current one
-i, --interpretTranslate numeric values (UIDs, GIDs, syscalls) to human-readable names
-c, --checkpoint FILERead checkpoint from file to resume previous search
-r, --rawOutput raw audit log data without field parsing
--format csvOutput results in comma-separated values format
-h, --helpDisplay help message and exit

Examples

Find all audit events tagged with the key 'password_change'

ausearch -k password_change

Search for all command executions of bash, with human-readable output

ausearch -m EXECVE -i | grep /bin/bash

Find all events from user ID 1000 between two dates

ausearch -ui 1000 -ts 01/15/2024 -te 01/16/2024

Show all file open events from process ID 5432

ausearch -pid 5432 -m OPEN

Export all network connection events to a CSV file with readable output

ausearch -a -m CONNECT -i --format csv > network_events.csv

Find denied command execution attempts

ausearch -m EXECVE --format text | grep denied

Resume searching for privileged command events from a checkpoint

ausearch -k privileged_commands -c last_search.checkpoint

Complex query: find all sudo commands run by root using boolean expression

ausearch --expression 'uid=0 AND exe=/usr/bin/sudo'

Related commands

auditctlaureport
← All commands