Mar 28, 2018

Understanding Linux Audit Log Files

By default, the audit system logs audit messages to the /var/log/audit/audit.log file. Audit log files carry a lot of useful information.

If auditd is not running for whatever reason, audit messages will be sent to rsyslog.

 If you want to generate a summary report on all command executions on the server, run:
  • sudo aureport -x --summary

The following command will give you the statistics of all failed events:
  • sudo aureport --failed
Search for all events (if any) touching the file /etc/ssh/sshd_config and interpret them:
  • sudo ausearch -f /etc/ssh/sshd_config -i