Linux command
ausearch 命令
安全
权限或系统影响较大,执行前请核对目标。
常用示例
Example
sudo ausearch -m avc
Example
sudo ausearch -c httpd
Example
sudo ausearch -ui 1000
Example
sudo ausearch -ts recent
Example
sudo ausearch -m user_login -sv no
Example
sudo ausearch -f path/to/file
Example
sudo ausearch -m avc --raw
说明
ausearch queries the Linux audit log for events. It can search by message type, user, process, file, time range, and other criteria, making it essential for security analysis and incident investigation.
参数
- -m, --message _type_
- Search for specific message types (avc, user_login, etc.)
- -c, --comm _name_
- Search by command/executable name
- -ui, --uid _uid_
- Search by user ID
- -f, --file _path_
- Search for events related to a specific file
- -ts, --start _time_
- Start time for search (recent, today, or timestamp)
- -te, --end _time_
- End time for search
- -sv, --success _yes|no_
- Filter by success or failure
- --raw
- Output in raw format for further processing
- -i, --interpret
- Interpret numeric values (UIDs, syscalls, etc.)
- -k, --key _key_
- Search for events matching the specified audit key
- -p, --pid _pid_
- Search by process ID
- -sc, --syscall _syscall_
- Search by system call name or number
- -x, --executable _path_
- Search for events matching the executable path
- --input-logs
- Read from specific audit log files
FAQ
What is the ausearch command used for?
ausearch queries the Linux audit log for events. It can search by message type, user, process, file, time range, and other criteria, making it essential for security analysis and incident investigation.
How do I run a basic ausearch example?
Run `sudo ausearch -m avc` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -m, --message _type_ do in ausearch?
Search for specific message types (avc, user_login, etc.)