Troubleshoot - by Hostrare
The aureport utility enables you to create a summary and columnar records on the events listed in Audit log files. By default, all audit.log files in the /var/log/audit/ register are queried to create the report. You can define a separate file to run the report against using the aureport options -if file_name command. But in most cases, logrotate is configured for all the log records due to which the log file gets replaced after every fixed period and the report produced will be only as per the date log data began collecting log records.
To create a report for logged issues in the past three days excluding the popular original day, use the following rule:
# aureport --start 04/12/2016 00:00:00 --end 06/12/2016 00:00:00
To create a summary of the executable file event report above, use the following command:
# aureport -x
To generate a summary of the executable file event report above, use the following command:
# aureport -x --summary
To create a summary report of missed events for all users, use the following command:
# aureport -u --failed --summary -i
To create a summary report of all failed login attempts per specific system user, use the following command:
# aureport --login --summary -i
To generate a report from an ausearch query that searches all file access events for user 500, use the following command:
# ausearch --start today --loginuid 500 --raw | aureport -f --summary
To create a report of all Audit records that are questioned and the time limit of cases they involve, use the following command:
# aureport -t
Example
All the login attempts made to your system are stored in /var/log/secure.
# less /var/log/secure | grep root Sep 18 21:03:37 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Sep 18 21:05:36 localhost sshd[10297]: Accepted password for root from 192.168.1.58 port 63334 ssh2 Sep 18 21:05:36 localhost sshd[10297]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 18 21:08:26 localhost sshd[10549]: Accepted publickey for root from 192.168.1.58 port 36613 ssh2: RSA 1a:f7:cc:37:91:e2:a1:9a:f7:a5:96:1a:4b:22:15:94 Sep 18 21:08:26 localhost sshd[10549]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 18 21:08:28 localhost sshd[10549]: pam_unix(sshd:session): session closed for user root
To collect authentication report for all the attempts made to your system recently.
# aureport -au -i Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 09/18/2016 21:03:37 root ? tty1 /usr/bin/login yes 36 2. 09/18/2016 21:05:36 root 192.168.1.59 ssh /usr/sbin/sshd yes 54 3. 09/18/2016 21:05:36 root 192.168.1.59 ssh /usr/sbin/sshd yes 57 4. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 85 5. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 86 6. 09/18/2016 21:08:26 root 192.168.1.60 ssh /usr/sbin/sshd yes 89 7. 12/06/2016 23:21:59 root ? tty1 /usr/bin/login yes 36 8. 12/06/2016 23:24:12 root 192.168.1.60 ? /usr/sbin/sshd yes 53 9. 12/06/2016 23:24:12 root 192.168.1.60 ? /usr/sbin/sshd yes 54 10. 12/06/2016 23:24:12 root 192.168.1.60 ssh /usr/sbin/sshd yes 57
# aureport -au -i --success Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 09/18/2016 21:03:37 root ? tty1 /usr/bin/login yes 36 2. 09/18/2016 21:05:36 root 192.168.1.45 ssh /usr/sbin/sshd yes 54 3. 09/18/2016 21:05:36 root 192.168.1.45 ssh /usr/sbin/sshd yes 57 4. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 85 5. 09/18/2016 21:08:26 root 192.168.1.60 ? /usr/sbin/sshd yes 86 6. 09/18/2016 21:08:26 root 192.168.1.60 ssh /usr/sbin/sshd yes 89 7. 12/06/2016 23:21:59 root ? tty1 /usr/bin/login yes 36
# aureport -au -i --failed Authentication Report ============================================ # date time acct host term exe success event ============================================ 1. 12/06/2016 23:25:10 root 192.168.1.45 ssh /usr/sbin/sshd no 73
# aureport -l --failed Login Report ============================================ # date time auid host term exe success event ============================================ 1. 09/18/2016 21:08:15 gopal 192.168.1.60 ssh /usr/sbin/sshd no 79 2. 12/06/2016 23:25:11 root 192.168.1.45 ssh /usr/sbin/sshd no 80 3. 12/07/2016 00:04:05 gopal 192.168.1.45 ssh /usr/sbin/sshd no 156 4. 12/07/2016 00:33:11 gopal 192.168.1.49 ssh /usr/sbin/sshd no 167 5. 12/07/2016 00:39:04 root 192.168.1.43 ssh /usr/sbin/sshd no 179
# aureport -l --success Login Report ============================================ # date time auid host term exe success event ============================================ 1. 09/18/2016 21:03:37 -1 ? tty1 /usr/bin/login yes 43 2. 09/18/2016 21:05:37 -1 192.168.1.45 /dev/pts/0 /usr/sbin/sshd yes 62 3. 09/18/2016 21:08:26 -1 192.168.1.60 /dev/pts/1 /usr/sbin/sshd yes 94 4. 12/06/2016 23:21:59 -1 ? tty1 /usr/bin/login yes 43
# aureport -l --success --summary -i Success Login Summary Report ============================ total auid ============================ 14 root 7 gopal
our suuport team here for you 24/7
+8801977507015 [email protected] send a leter
Whether you are looking for a personal website hosting plan or a business website hosting plan, We are the perfect solution for you. Our powerful website hosting services will not only help you achieve your overall website goals, but will also provide you with the confidence you need in knowing that you are partnered with a reliable and secure website hosting platform.