Analyzing audit logs

From Notes_Wiki
Revision as of 04:18, 10 November 2012 by Saurabh (talk | contribs) (Created page with "=Analyzing audit logs= We can analyze audit logs using '<tt>ausearch</tt>' and '<tt>aureport</tt>' commands. Few good ways of using these commands are listed here. ==Looking...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Analyzing audit logs

We can analyze audit logs using 'ausearch' and 'aureport' commands. Few good ways of using these commands are listed here.

Looking at failed events from every one with interpretation

We can use following command to looked at interesting failed events

ausearch -i -sv no | grep -v USER_LOGIN | grep -v USER_ERR | grep -v USER_AUTH | less

Note:

  • '-sv no' is used to specify success value where no indicates failure
  • Normally ausearch willl not convert date/time, uid, syscall etc. to useful names which can be recognized by humans. Hence use of '-i' in ausearch makes output human readable.
  • We have removed bad login attempt related logs. We can look at login details using 'last', 'lastb' or 'lastlog' commands.


Looking at failed events of particular user

If we find some users records to be very interesting we can filter and see only that particular users failed records using:

ausearch -i -sv no -ul <full_username> | less