Difference between revisions of "Analyzing audit logs"

From Notes_Wiki
m
m
Line 1: Line 1:
<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>
<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>
=Analyzing audit logs=
=Analyzing audit logs=


Line 23: Line 24:
ausearch -i -sv no -ul <full_username> | less
ausearch -i -sv no -ul <full_username> | less
</pre>
</pre>




<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>
<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>

Revision as of 07:38, 22 January 2019

<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>

Analyzing audit logs

We can analyze audit logs using 'ausearch' and 'aureport' commands. Few good ways of using these commands are listed here.

Looking at failed events from every one with interpretation

We can use following command to looked at interesting failed events

ausearch -i -sv no | grep -v USER_LOGIN | grep -v USER_ERR | grep -v USER_AUTH | less

Note:

  • '-sv no' is used to specify success value where no indicates failure
  • Normally ausearch willl not convert date/time, uid, syscall etc. to useful names which can be recognized by humans. Hence use of '-i' in ausearch makes output human readable.
  • We have removed bad login attempt related logs. We can look at login details using 'last', 'lastb' or 'lastlog' commands.


Looking at failed events of particular user

If we find some users records to be very interesting we can filter and see only that particular users failed records using:

ausearch -i -sv no -ul <full_username> | less


<yambe:breadcrumb self="Analyzing audit logs">auditd configuration|auditd configuration</yambe:breadcrumb>