Analyzing audit logs

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > auditd configuration > Analyzing audit logs

We can analyze audit logs using 'ausearch' and 'aureport' commands. Few good ways of using these commands are listed here.

Looking at failed events from every one with interpretation

We can use following command to looked at interesting failed events 

ausearch -i -sv no | grep -v USER_LOGIN | grep -v USER_ERR | grep -v USER_AUTH | less

Note:

  • '-sv no' is used to specify success value where no indicates failure
  • Normally ausearch willl not convert date/time, uid, syscall etc. to useful names which can be recognized by humans. Hence use of '-i' in ausearch makes output human readable.
  • We have removed bad login attempt related logs. We can look at login details using 'last', 'lastb' or 'lastlog' commands.


Looking at failed events of particular user

If we find some users records to be very interesting we can filter and see only that particular users failed records using: 

ausearch -i -sv no -ul <full_username> | less



Home > CentOS > CentOS 6.x > Security tools > auditd configuration > Analyzing audit logs

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Analyzing_audit_logs&oldid=5518"