How to do it...

In this section, we will see how to use ausearch and aureport tools to read the log files of the auditd daemon and create reports from them:

  1. The default location to find the logs of auditd is /var/log/audit/audit.log. If we view the content of this file, we get an output as shown here:

As we can see in this output, the log contains lots of data, and us it is difficult to get a specific information from this file, just by viewing its content.

  1. Hence, we will use ausearch to search through the logs in a more powerful and efficient way. First, we check the help file of the tool to understand the options that can be used:

  1. Suppose we want to check the logs related to a particular running process; we can do this by using the -p flag and passing the process ID to the ausearch command, as shown here:

As we can see in this output, now the information is displayed only for the particular process ID.

  1. If we want to check failed login attempts of the user account, we can do so by running the following command:

  1. To find the user activity of any particular user account, we can run the following command:

In the preceding command, pentest is the username we want to query for.

  1. We can also use ausearch to query for the actions performed by any user in a given period of time. In the following command, we use -ts for start date/time and -te for end date/time:

  1. If we want to create a report based on the audit rule keys, added by the auditd daemon, we can use the following command, using the -k flag:

  1. If we want to convert numeric entities into text (such as UID to account name), in the report created by using the preceding command, we can add the -i flag, as shown here:

  1. To create a report regarding events related to user authentication, we can use the following command:

  1. To create a report of all logins, we use the -l flag as shown here:

  1. If we want to see a report of failed login events, we can use the following command:

  1. Similar to ausearch, we can use aureport to create a report for a specific period of time, as shown here: