Difference between revisions of "Analyzing audit logs"
From Notes_Wiki
m |
m |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Auditd configuration|auditd configuration]] > [[Analyzing audit logs]] | |||
We can analyze audit logs using '<tt>ausearch</tt>' and '<tt>aureport</tt>' commands. Few good ways of using these commands are listed here. | We can analyze audit logs using '<tt>ausearch</tt>' and '<tt>aureport</tt>' commands. Few good ways of using these commands are listed here. | ||
| Line 25: | Line 24: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Auditd configuration|auditd configuration]] > [[Analyzing audit logs]] | |||
Latest revision as of 16:00, 24 March 2022
Home > CentOS > CentOS 6.x > Security tools > auditd configuration > Analyzing audit logs
We can analyze audit logs using 'ausearch' and 'aureport' commands. Few good ways of using these commands are listed here.
Looking at failed events from every one with interpretation
We can use following command to looked at interesting failed events
ausearch -i -sv no | grep -v USER_LOGIN | grep -v USER_ERR | grep -v USER_AUTH | less
Note:
- '-sv no' is used to specify success value where no indicates failure
- Normally ausearch willl not convert date/time, uid, syscall etc. to useful names which can be recognized by humans. Hence use of '-i' in ausearch makes output human readable.
- We have removed bad login attempt related logs. We can look at login details using 'last', 'lastb' or 'lastlog' commands.
Looking at failed events of particular user
If we find some users records to be very interesting we can filter and see only that particular users failed records using:
ausearch -i -sv no -ul <full_username> | less
Home > CentOS > CentOS 6.x > Security tools > auditd configuration > Analyzing audit logs
