Troubleshoot - by Hostrare
The aureport convenience enables you to create a summary and columnar news on the events listed in Audit log files. By default, all audit.log files in the /var/log/audit/ directory are questioned to create the report. You can specify a different file to run the report against using the report options -if file_name company. But in most cases, logrotate is configured for all the record files due to which the log file gets restored after every natural interval of time and the report created will be only as per the date log file began saving log records.
To make a statement for logged results in the past three days excluding the popular standard day, use the following command:
# aureport --start 04/12/2016 00:00:00 --end 06/12/2016 00:00:00
To create a record of all executable file events, use the next command:
# aureport -x
To generate a summary of the executable file event report above, use the following command:
# aureport -x --summary
To generate a summary report of failed events for all users, use the following command:
# aureport -u --failed --summary -i
To generate a summary report of all failed login attempts per each system user, use the following command:
# aureport --login --summary -i
To generate a report from an ausearch query that searches all file access events for user 500, use the following command:
# ausearch --start today --loginuid 500 --raw | aureport -f --summary
To generate a report of all Audit files that are queried and the time range of events they include, use the following command:
# aureport -t
Example
All the login attempts made to your system are stored in /var/log/secure.
# less /var/log/secure | grep rootSep 18 21:03:37 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)Sep 18 21:05:36 localhost sshd[10297]: Accepted password for root from 192.168.1.58 port 63334 ssh2Sep 18 21:05:36 localhost sshd[10297]: pam_unix(sshd:session): session opened for user root by (uid=0)Sep 18 21:08:26 localhost sshd[10549]: Accepted publickey for root from 192.168.1.58 port 36613 ssh2: RSA 1a:f7:cc:37:91:e2:a1:9a:f7:a5:96:1a:4b:22:15:94Sep 18 21:08:26 localhost sshd[10549]: pam_unix(sshd:session): session opened for user root by (uid=0)Sep 18 21:08:28 localhost sshd[10549]: pam_unix(sshd:session): session closed for user root
To collect authentication report for all the attempts made to your system recently.
# aureport -au -iAuthentication Report============================================# date time acct host term exe success event============================================1. 09/18/2016 21:03:37 root ? tty1 /usr/bin/login yes 362. 09/18/2016 21:05:36 root 192.168.1.59 ssh /usr/sbin/sshd yes 543. 09/18/2016 21:05:36 root 192.168.1.59 ssh /usr/sbin/sshd yes 574. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 855. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 866. 09/18/2016 21:08:26 root 192.168.1.60 ssh /usr/sbin/sshd yes 897. 12/06/2016 23:21:59 root ? tty1 /usr/bin/login yes 368. 12/06/2016 23:24:12 root 192.168.1.60 ? /usr/sbin/sshd yes 539. 12/06/2016 23:24:12 root 192.168.1.60 ? /usr/sbin/sshd yes 5410. 12/06/2016 23:24:12 root 192.168.1.60 ssh /usr/sbin/sshd yes 57
# aureport -au -i --successAuthentication Report============================================# date time acct host term exe success event============================================1. 09/18/2016 21:03:37 root ? tty1 /usr/bin/login yes 362. 09/18/2016 21:05:36 root 192.168.1.45 ssh /usr/sbin/sshd yes 543. 09/18/2016 21:05:36 root 192.168.1.45 ssh /usr/sbin/sshd yes 574. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 855. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 866. 09/18/2016 21:08:26 root 192.168.1.60 ssh /usr/sbin/sshd yes 897. 12/06/2016 23:21:59 root ? tty1 /usr/bin/login yes 36
# aureport -au -i --failedAuthentication Report============================================# date time acct host term exe success event============================================1. 12/06/2016 23:25:10 root 192.168.1.45 ssh /usr/sbin/sshd no 73
# aureport -l --failedLogin Report============================================# date time auid host term exe success event============================================1. 09/18/2016 21:08:15 gopal 192.168.1.60 ssh /usr/sbin/sshd no 792. 12/06/2016 23:25:11 root 192.168.1.45 ssh /usr/sbin/sshd no 803. 12/07/2016 00:04:05 gopal 192.168.1.45 ssh /usr/sbin/sshd no 1564. 12/07/2016 00:33:11 gopal 192.168.1.49 ssh /usr/sbin/sshd no 1675. 12/07/2016 00:39:04 root 192.168.1.43 ssh /usr/sbin/sshd no 179
# aureport -l --successLogin Report============================================# date time auid host term exe success event============================================1. 09/18/2016 21:03:37 -1 ? tty1 /usr/bin/login yes 432. 09/18/2016 21:05:37 -1 192.168.1.45 /dev/pts/0 /usr/sbin/sshd yes 623. 09/18/2016 21:08:26 -1 192.168.1.60 /dev/pts/1 /usr/sbin/sshd yes 944. 12/06/2016 23:21:59 -1 ? tty1 /usr/bin/login yes 43
# aureport -l --success --summary -iSuccess Login Summary Report============================total auid============================14 root7 gopal
our suuport team here for you 24/7
+8801977507015support@hostrare.comsend a leter Whether you are looking for a personal website hosting plan or a business website hosting plan, We are the perfect solution for you. Our powerful website hosting services will not only help you achieve your overall website goals, but will also provide you with the confidence you need in knowing that you are partnered with a reliable and secure website hosting platform.