How to Search Auditd Logs with ausearch on AlmaLinux

In this article, we’ll focus on ausearch, a command-line utility used to query and parse audit logs generated by auditd.

Maintaining the security and compliance of a Linux server is a top priority for system administrators. AlmaLinux, a popular Red Hat Enterprise Linux (RHEL)-based distribution, provides robust tools for auditing system activity. One of the most critical tools in this arsenal is auditd, the Linux Auditing System daemon, which logs system events for analysis and security compliance.

In this article, we’ll focus on ausearch, a command-line utility used to query and parse audit logs generated by auditd. We’ll explore how to effectively search and analyze auditd logs on AlmaLinux to ensure your systems remain secure and compliant.


Understanding auditd and ausearch

What is auditd?

Auditd is a daemon that tracks system events and writes them to the /var/log/audit/audit.log file. These events include user logins, file accesses, process executions, and system calls, all of which are crucial for maintaining a record of activity on your system.

What is ausearch?

Ausearch is a companion tool that lets you query and parse audit logs. Instead of manually combing through raw logs, ausearch simplifies the process by enabling you to filter logs by event types, users, dates, and other criteria.

By leveraging ausearch, you can efficiently pinpoint issues, investigate incidents, and verify compliance with security policies.


Installing and Configuring auditd on AlmaLinux

Before you can use ausearch, ensure that auditd is installed and running on your AlmaLinux system.

Step 1: Install auditd

Auditd is usually pre-installed on AlmaLinux. However, if it isn’t, you can install it using the following command:

sudo dnf install audit

Step 2: Start and Enable auditd

To ensure auditd runs continuously, start and enable the service:

sudo systemctl start auditd
sudo systemctl enable auditd

Step 3: Verify auditd Status

Check the status to ensure it’s running:

sudo systemctl status auditd

Once auditd is running, it will start logging system events in /var/log/audit/audit.log.


Basic ausearch Syntax

The basic syntax for ausearch is:

ausearch [options]

Some of the most commonly used options include:

  • -m: Search by message type (e.g., SYSCALL, USER_LOGIN).
  • -ua: Search by a specific user ID.
  • -ts: Search by time, starting from a given date and time.
  • -k: Search by a specific key defined in an audit rule.

Common ausearch Use Cases

Let’s dive into practical examples to understand how ausearch can help you analyze audit logs.

1. Search for All Events

To display all audit logs, run:

ausearch

This command retrieves all events from the audit logs. While useful for a broad overview, it’s better to narrow down your search with filters.


2. Search by Time

To focus on events that occurred within a specific timeframe, use the -ts and -te options.

For example, to search for events from December 1, 2024, at 10:00 AM to December 1, 2024, at 11:00 AM:

ausearch -ts 12/01/2024 10:00:00 -te 12/01/2024 11:00:00

If you only specify -ts, ausearch will retrieve all events from the given time until the present.


3. Search by User

To investigate actions performed by a specific user, use the -ua option with the user’s ID.

Find the UID of a user with:

id username

Then search the logs:

ausearch -ua 1000

Replace 1000 with the actual UID of the user.


4. Search by Event Type

Audit logs include various event types, such as SYSCALL (system calls) and USER_LOGIN (login events). To search for specific event types, use the -m option.

For example, to find all login events:

ausearch -m USER_LOGIN

5. Search by Key

If you’ve created custom audit rules with keys, you can filter events associated with those keys using the -k option.

Suppose you’ve defined a rule with the key file_access. Search for logs related to it:

ausearch -k file_access

6. Search by Process ID

If you need to trace actions performed by a specific process, use the -pid option.

ausearch -pid 1234

Replace 1234 with the relevant process ID.


Advanced ausearch Techniques

Combining Filters

You can combine multiple filters to refine your search further. For instance, to find all SYSCALL events for user ID 1000 within a specific timeframe:

ausearch -m SYSCALL -ua 1000 -ts 12/01/2024 10:00:00 -te 12/01/2024 11:00:00

Extracting Output

For easier analysis, redirect ausearch output to a file:

ausearch -m USER_LOGIN > login_events.txt

Improving Audit Analysis with aureport

In addition to ausearch, consider using aureport, a tool that generates summary reports from audit logs. While ausearch is ideal for detailed queries, aureport provides a higher-level overview.

For example, to generate a summary of user logins:

aureport -l

Best Practices for Using ausearch on AlmaLinux

  1. Define Custom Rules
    Define custom audit rules to focus on critical activities, such as file accesses or privileged user actions. Add these rules to /etc/audit/rules.d/audit.rules and include meaningful keys for easier searching.

  2. Automate Searches
    Use cron jobs or scripts to automate ausearch queries and generate regular reports. This helps ensure timely detection of anomalies.

  3. Rotate Audit Logs
    Audit logs can grow large over time, potentially consuming disk space. Use the auditd log rotation configuration in /etc/audit/auditd.conf to manage log sizes and retention policies.

  4. Secure Audit Logs
    Ensure that audit logs are protected from unauthorized access or tampering. Regularly back them up for compliance and forensic analysis.


Conclusion

The combination of auditd and ausearch on AlmaLinux provides system administrators with a powerful toolkit for monitoring and analyzing system activity. By mastering ausearch, you can quickly pinpoint security incidents, troubleshoot issues, and verify compliance with regulatory standards.

Start with basic queries to familiarize yourself with the tool, then gradually adopt more advanced techniques to maximize its potential. With proper implementation and regular analysis, ausearch can be an indispensable part of your system security strategy.

Would you like further guidance on configuring custom audit rules or integrating ausearch into automated workflows? Share your requirements, and let’s keep your AlmaLinux systems secure!