linux audit (9)--generate audit report

The aureport command can generate a summary histogram report. By default, all log files in the /var/log/audit directory will generate a report. You can also use the following command to specify a different file, aureport  options  - if  file_name.

1. Generate reports according to time:

~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00

2、To generate a report of all executable file events, use the following command:

~]# aureport -x

The result looks like this:

:~ # aureport - x

Executable Report
====================================
# date time exe term host auid event
====================================
1. 04/18/2018 18:33:56 /usr/lib/systemd/systemd ? ? -1 4
2. 04/18/2018 18:34:01 /usr/sbin/crond cron ? -1 5
3. 04/18/2018 18:34:01 /usr/sbin/crond cron ? -1 6
4. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 8
5. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 9
6. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 10
7. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 11
8. 04/18/2018 18:36:01 /usr/sbin/crond cron ? -1 12
9. 04/18/2018 18:36:01 /usr/sbin/crond cron ? -1 13
10. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 15
11. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 16
12. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 17
13. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 18
14. 04/18/2018 18:38:01 /usr/sbin/crond cron ? -1 19
15. 04/18/2018 18:38:01 /usr/sbin/crond cron ? -1 20
16. 04/18/2018 18:38:01 /usr/sbin/crond cron ? 0 22

3、To generate a summary of the executable file event report above, use the following command:

~]# aureport -x --summary

4、To generate a summary report of failed events for all users, use the following command:

~]# aureport -u --failed --summary -i

5、To generate a summary report of all failed login attempts per each system user, use the following command:

~]# aureport --login --summary -i

6、To generate a report from an ausearch query that searches all file access events for user ID 1000, use the following command:

~]# ausearch --start today --loginuid 1000 --raw | aureport -f --summary

7、To generate a report of all Audit files that are queried and the time range of events they include, use the following command:

~]# aureport -t

For a full listing of all aureport options, see the aureport(8) man page.