|
1 | | -.TH AUSEARCH "8" "July 2023" "Red Hat" "System Administration Utilities" |
| 1 | +.TH AUSEARCH "8" "March 2026" "Red Hat" "System Administration Utilities" |
2 | 2 | .SH NAME |
3 | 3 | ausearch \- a tool to query audit daemon logs |
4 | 4 | .SH SYNOPSIS |
5 | 5 | .B ausearch |
6 | 6 | .RI [ options ] |
7 | 7 | .SH DESCRIPTION |
8 | | -\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-m\fP and \fB\-n\fP options; multiple record types and nodes are allowed in a search which will return any matching node and record. |
| 8 | +\fBausearch\fP is a tool that can query the audit daemon logs for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-m\fP and \fB\-n\fP options; multiple record types and nodes are allowed in a search which will return any matching node and record. |
9 | 9 |
|
10 | 10 | It should also be noted that each syscall excursion from user space into the kernel and back into user space has one event ID that is unique. Any auditable event that is triggered during this trip share this ID so that they may be correlated. |
11 | 11 |
|
@@ -112,7 +112,7 @@ Flush output on every line. Most useful when stdout is connected to a pipe and t |
112 | 112 | .BR \-m ,\ \-\-message \ \fImessage-type\fP\ |\ \fIcomma-sep-message-type-list\fP |
113 | 113 | Search for an event matching the given \fImessage type\fP. (Message types are also known as record types.) You may also enter a \fIcomma separated list of message types\fP or multiple individual message types each with its own \fI-m\fP option. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list. |
114 | 114 | .TP |
115 | | -.BR \-n ,\ \-\-node |
| 115 | +.BR \-n ,\ \-\-node \ \fInode-name\fP |
116 | 116 | Search for events originating from a specific machine. Multiple nodes are allowed, and if any nodes match, the event is matched. This search uses the node field in audit events. Also see the \-\-host command which search for events related to host information in the audit trail. |
117 | 117 | .TP |
118 | 118 | .BR \-o ,\ \-\-object \ \fISE-Linux-context-string\fP |
@@ -174,7 +174,8 @@ You may also use the word: \fBnow\fP, \fBrecent\fP, \fBthis-hour\fP, \fBboot\fP, |
174 | 174 | .na |
175 | 175 | ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i |
176 | 176 | _au_status=$? |
177 | | -if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12 |
| 177 | +if test ${_au_status} -eq 10 -o ${_au_status} -eq 11 \ |
| 178 | + -o ${_au_status} -eq 12 |
178 | 179 | then |
179 | 180 | ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i |
180 | 181 | fi |
|
0 commit comments