Analyzing audit logs
From Notes_Wiki
<yambe:breadcrumb self="Analyzing audit logs">Auditd configuration|Auditd configuration</yambe:breadcrumb>
Analyzing audit logs
We can analyze audit logs using 'ausearch' and 'aureport' commands. Few good ways of using these commands are listed here.
Looking at failed events from every one with interpretation
We can use following command to looked at interesting failed events
ausearch -i -sv no | grep -v USER_LOGIN | grep -v USER_ERR | grep -v USER_AUTH | less
Note:
- '-sv no' is used to specify success value where no indicates failure
- Normally ausearch willl not convert date/time, uid, syscall etc. to useful names which can be recognized by humans. Hence use of '-i' in ausearch makes output human readable.
- We have removed bad login attempt related logs. We can look at login details using 'last', 'lastb' or 'lastlog' commands.
Looking at failed events of particular user
If we find some users records to be very interesting we can filter and see only that particular users failed records using:
ausearch -i -sv no -ul <full_username> | less
<yambe:breadcrumb self="Analyzing audit logs">Auditd configuration|Auditd configuration</yambe:breadcrumb>