How to Create Reports from Audit Logs Using ‘aureport’ on CentOS/RHEL

This article is our ongoing series on Linux Auditing, in our last two articles we have explained how to install and audit Linux systems (CentOS and RHEL) and how to query logs using ausearch utility.

In this third part, we will explain how to generate reports from audit log files using aureport utility in CentOS and RHEL based Linux distributions.

Read Also: How to Produce and Deliver System Activity Reports Using Linux Toolsets

What is aureport?

aureport is a command line utility used for creating useful summary reports from the audit log files stored in /var/log/audit/. Like ausearch, it also accepts raw log data from stdin.

It is an easy-to-use utility; simply pass an option for a specific kind of report that you need, as shown in the examples below.

Create Report Concerning Audit Rule Keys

The aurepot command will produce a report about all keys you specified in audit rules, using the -k flag.

# aureport -k 
Report Audit Rule Keys

Report Audit Rule Keys

You can enable interpreting of numeric entities into text (for example convert UID to account name) using the -i option.

# aureport -k -i

Create Report About Attempted Authentications

If you need a report about all events relating to attempted authentications for all users, use the -au option.

# aureport -au 
OR
# aureport -au -i
Summary of Login Authentication

Summary of Login Authentication

Produce Report Concerning Logins

The -l option tells aureport to generate a report of all logins as follows.

Check Login Authentications

Check Login Authentications

Report Failed Events on the System

The following command shows how to report all failed events.

# aureport --failed
Report Failed Events

Report Failed Events

Generate Summary Report for a Given Time Period

It is also possible to generate reports for a specified period of time; the -ts defines the start date/time and -te sets a end date/time. You can also use words like now, recent, today, yesterday, this-week, week-ago, this-month, this-year instead of actual time formats.

# aureport -ts 09/19/2017 15:20:00 -te now --summary -i 
OR
# aureport -ts yesterday -te now --summary -i 
Generate a Summary Report

Generate a Summary Report

Produce report From Different Audit Log File

If you want to create a report from a different file other than the default log files in /var/log/audit directory, use the -if flag to specify the file.

This command reports all logins recorded in /var/log/tecmint/hosts/node1.log.

# aureport -l -if /var/log/tecmint/hosts/node1.log 

You can find all options and more information in the aureport man page.

# man aureport

Below is a list of articles concerning log management, and report generation tools in Linux:

  1. 4 Good Open Source Log Monitoring and Management Tools for Linux
  2. SARG – Squid Analysis Report Generator and Internet Bandwidth Monitoring Tool
  3. Smem – Reports Memory Consumption Per-Process and Per-User Basis in Linux
  4. How to Manage System Logs (Configure, Rotate and Import Into Database)

In this tutorial, we showed how to generate summary reports from audit log files in RHEL/CentOS/Fedora. Use the comment section below to ask any questions or share any thoughts concerning this guide.

Next, we’ll show how to audit a specific process using ‘autrace’ utility, until then, keep locked to Tecmint.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.