aureport



AUREPORT:(8)            System Administration Utilities           AUREPORT:(8)




NAME

       aureport - a tool that produces summary reports of audit daemon logs


SYNOPSIS

       aureport [ options ]


DESCRIPTION

       aureport  is  a  tool that produces summary reports of the audit system
       logs. The reports have a column label at the top to help with interpre-
       tation  of the various fields. Except for the main summary report (-r),
       all reports have the audit event number. You  can  subsequently  lookup
       the full event with ausearch -a <event number>. You may need to specify
       start & stop times if you get multiple hits. The  reports  produced  by
       aureport  can be used as building blocks for more complicated analysis.



OPTIONS

       -a     Report about avc messages

       -c     Report about config changes

       -e     Report about events

       -f     Report about files

       --failed
              Only select failed events for processing  in  the  reports.  The
              default is both success and failed events.

       -h     Report about hosts

       -i     Interpret  numeric  entities into text. For example, uid is con-
              verted to account name. The conversion is done using the current
              resources  of  the machine where the search is being run. If you
              have renamed the accounts, or don’t have the  same  accounts  on
              your machine, you could get misleading results.

       -if <file name>
              Use  the given file instead if the logs. This is to aid analysis
              where the logs have been moved to another machine or  only  part
              of a log was saved.

       -l     Report about logins

       -m     Report about account modifications

       -p     Report about processes

       -r     This option will output the main summary report.

       -s     Report about syscalls

       --success
              Only select successful events for processing in the reports. The
              default is both success and failed events.

       --summary
              Run the summary report that gives a total of the elements of the
              main report. Not all reports have a summary.

       -t     This  option will output a report of the start and end times for
              each log.

       -te [end date] [end time]
              Search for events with time stamps equal to or before the  given
              end  time. The format of end time depends on your locale. If the
              date is omitted, today is assumed. If the time is  omitted,  now
              is assumed. Use 24 hour clock time rather than AM or PM to spec-
              ify time. An example date is 10/24/05. An  example  of  time  is
              18:00:00.

       -tm    Report about terminals

       -ts [start date] [start time]
              Search  for  events with time stamps equal to or after the given
              end time. The format of end time depends on your locale. If  the
              date  is omitted, today is assumed. If the time is omitted, mid-
              night is assumed. Use 24 hour clock time rather than AM or PM to
              specify time. An example date is 10/24/05. An example of time is
              18:00:00.

       -u     Report about users

       -v     Print the version and exit

       -w     Report about watched files

       -x     Report about executables


SEE ALSO

       ausearch(8), auditd(8)



Red Hat                            Nov 2005                       AUREPORT:(8)

Man(1) output converted with man2html