Port Igniter
Get Started

Basic Commands for AuditD

An easy to follow guide on how to get the most out of AuditD on your Linux system

May 30, 2026

AuditD - Basic Commands for the standard Auditing Linux Service Daemon

In this snippet we’re going to cover some practical examples of using auditd tools like ausearch, aureport, and related commands, with a focus on isolating keys, extracting fields, time-based queries, and other useful scenarios:

ausearch Examples

Search by Time Range

# Search logs from the last 24 hours
ausearch --start "2023-10-01 00:00:00" --end "2023-10-02 00:00:00"

# Search logs from the last hour using relative time
ausearch --start "now-1hour" --end "now"

Isolate Specific Fields

# Extract only the "user" and "action" fields
ausearch --format="user,action" --start "now-1day"

# Extract specific fields using --list to see available keys
ausearch --list

Filter by User or Action

# Find all events for user "alice"
ausearch --user "alice"

# Find events with action "open"
ausearch --action "open"

Combine with grep or awk

# Search for "chmod" and extract the "user" field
ausearch --raw | grep "chmod" | awk '{print $2}'

# Search for events with "file" in the message
ausearch | grep "file"

Raw JSON Output

# Get raw JSON data for events
ausearch --raw

# Parse JSON with `jq` (requires jq installed)
ausearch --raw | jq '.[] | .user, .action'

aureport Examples

Generate Reports

# Report on users with audit events
aureport --user

# Report on hosts with audit events
aureport --host

# Report on event types (e.g., file access)
aureport --event

Filter by Time Range

# Report events from the last 7 days
aureport --start "2023-10-01" --end "2023-10-08"

# Report events from the last hour
aureport --start "now-1hour" --end "now"

Extract Specific Fields

# Output only the "host" and "user" fields
aureport --format="host,user"

# Output only the "event" field
aureport --format="event"

Combine with grep

# Find events related to "chmod" in the report
aureport | grep "chmod"

Time-Based Queries with ausearch

# Find events between specific timestamps (YYYY-MM-DD HH:MM:SS)
ausearch --start "2023-10-01 12:00:00" --end "2023-10-01 13:00:00"

# Find events from the last 5 minutes
ausearch --start "now-5min" --end "now"

Other Useful Commands

List All Audit Rules

auditctl -l

Check Audit Daemon Status

systemctl status auditd

Monitor Live Audit Events

ausearch --live

Export Logs to a File

ausearch --start "now-1day" > audit_log.txt

Delete Old Logs

# Delete logs older than 7 days
ausearch --start "2023-09-25" --end "now" --delete

Advanced Tips

  • Use --raw with jq for structured JSON parsing:
    ausearch --raw | jq '.[] | .user, .action'
    
  • Combine with audit2allow to generate SELinux policies:
    ausearch -k my_rule | audit2allow
    
  • Use auditctl to Add Rules:
    auditctl -w /etc/passwd -p rwxa
    

Example: Find All File Access Events for a Specific User

ausearch --user "alice" --start "now-1day" --format="host,user,action,msg"

This outputs:

host=example.com user=alice action=open msg=...

Example: Extract All chmod Actions in the Last Hour

ausearch --start "now-1hour" --format="user,action,msg" | grep "chmod"

Example: Generate a CSV Report of All Events*

aureport --format="host,user,action,timestamp" > audit_report.csv

The audit subsystem in Linux (via auditd) logs detailed events in a structured format. Each audit record contains a variety of fields that can be queried using tools like ausearch or aureport. Below is a comprehensive list of key fields available in a single audit record, along with explanations and examples of how to use them.

Core Fields in an Audit Record

These are the primary fields available in a single audit record (from ausearch --raw or aureport):

Field Description Example
audit_serial Unique identifier for the audit record. 123456
time Timestamp of the event (in seconds since epoch). 1696166400
user User ID (UID) of the user associated with the event. 1001
auid Authentication User ID (AUID) for the user. 1001
session Session ID (e.g., for login sessions). 1234
host Hostname of the system. example.com
pid Process ID (PID) of the process that triggered the event. 1234
comm Command name (e.g., bash, ls). bash
exe Full path to the executable (e.g., /bin/bash). /bin/bash
args Command-line arguments (if applicable). "ls -l /tmp"
action Type of action (e.g., open, read, write). open
msg Detailed message (nested structure with additional fields). "msg": {"file": {"path": "/etc/passwd", ...}}

Nested Fields in the msg Object

The msg field contains nested data about the event. Common nested fields include:

Nested Field Description Example
file File-related details (e.g., path, inode, type). "file": {"path": "/etc/passwd", "inode": "12345", "type": "file"}
arch Architecture (e.g., x86_64). "x86_64"
res Result of the operation (e.g., success, failure). "success"
pid Process ID (same as pid field). 1234
auid Authentication User ID (same as auid field). 1001
exe Full path to the executable (same as exe field). /bin/bash
comm Command name (same as comm field). bash
hostname Hostname (same as host field). example.com

Special Fields for Specific Events

Some fields are only present for specific types of events (e.g., file access, system calls):

Field Description Example
inode Inode number of the file. "inode": "12345"
path Full path to the file or resource. "/etc/passwd"
obj_type Type of object (e.g., file, directory, socket). "file"
result Result of the operation (e.g., success, failure). "success"
syscall System call name (e.g., open, read, write). "open"
name Name of the file or resource (without path). "passwd"

4. How to Use These Fields

Using ausearch to Query Specific Fields

# Search for file access events with "open" action
ausearch --action "open" --format="host,user,action,msg"

Using ausearch --list to See All Available Keys

ausearch --list

This lists all available fields (e.g., audit_serial, time, user, auid, session, host, pid, comm, exe, args, action, msg, etc.).

Extracting Nested Fields

# Extract file paths from events
ausearch --raw | jq '.[] | .msg.file.path'

Filtering by Result

# Find failed file write operations
ausearch --result "failure" --format="host,user,action,msg"

Example: Full Audit Record

A raw audit record might look like this (simplified):

{
  "audit_serial": 123456,
  "time": 1696166400,
  "user": 1001,
  "auid": 1001,
  "session": 1234,
  "host": "example.com",
  "pid": 1234,
  "comm": "bash",
  "exe": "/bin/bash",
  "args": "ls -l /tmp",
  "action": "open",
  "msg": {
    "file": {
      "path": "/tmp/testfile",
      "inode": "789012",
      "type": "file"
    },
    "res": "success"
  }
}

Notes

  • Field Availability: Not all fields are present in every event. For example, inode or path may be missing for certain events.
  • Performance: Querying nested fields (e.g., msg.file.path) can be slower than simple fields like user or action.
  • Tools: Use ausearch --raw for raw JSON output or aureport for structured reports.

These examples should help you efficiently query, analyze, and manage audit logs using auditd tools. A good olid AuditD rules file to start from is maintained on Github by Neo23x0. This is a good starting point that covers a lot of the bases out the gate. If you’re in a Dod Environment, be sure to reference requirements listed in the Applicable STIG for your operating system.

Think we might be a good fit for your project?

Let's get the conversation started!

Top