Pages

Tuesday, May 4, 2021

Fedora 33 : The new aureport tool.

The aureport Linux tool allows you to generate summary and columnar reports on the events recorded in log files.
You can see some simple examples with this tool:
[root@desk mythcat]# aureport --tty -ts today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>

[root@desk mythcat]# aureport --start 12/31/2020 00:00:00 --end 04/05/2021 00:00:01

Summary Report
======================
Range of time in logs: 10/17/2020 22:30:47.765 - 04/04/2021 23:38:30.089
Selected time for report: 12/31/2020 00:00:00 - 04/05/2021 00:00:01
Number of changes in configuration: 76792
Number of changes to accounts, groups, or roles: 11
Number of logins: 10
Number of failed logins: 16
Number of authentications: 460
Number of failed authentications: 59
Number of users: 3
Number of terminals: 16
Number of host names: 3
Number of executables: 56
Number of commands: 76
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 375
Number of responses to anomaly events: 0
Number of crypto events: 35
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 6104
Number of events: 112473

[root@desk mythcat]# aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
128351  (null)
42192  /usr/lib/systemd/systemd
3348  /usr/bin/sudo
1733  /usr/bin/su
971  /snap/anbox/186/usr/bin/anbox
754  /usr/libexec/lxdm-session
702  /usr/lib/systemd/systemd-update-utmp
311  /opt/google/chrome/chrome
119  /usr/sbin/sshd
113  /usr/bin/login
104  /opt/teamviewer/tv_bin/teamviewerd
88  /usr/sbin/runuser
84  /usr/sbin/unix_chkpwd
69  /usr/sbin/auditd
55  /usr/sbin/atd
55  /usr/sbin/auditctl
37  /usr/lib/polkit-1/polkit-agent-helper-1
...
1  /home/mythcat/blender-2.83.12-linux64/blender
...

[root@desk mythcat]# aureport -x | less

Executable Report
====================================
# date time exe term host auid event
====================================
1. 10/17/2020 22:30:47 (null) (none) ? -1 392
2. 10/17/2020 22:30:54 /usr/lib/systemd/systemd ? ? -1 395
3. 10/17/2020 22:31:14 /usr/lib/systemd/systemd ? ? -1 401
4. 10/17/2020 22:31:17 /usr/lib/systemd/systemd ? ? -1 402
5. 10/17/2020 22:31:20 /usr/lib/systemd/systemd ? ? -1 403
6. 10/17/2020 22:31:33 /usr/lib/systemd/systemd ? ? -1 406
7. 10/17/2020 22:31:37 /usr/lib/systemd/systemd ? ? -1 413
8. 10/17/2020 22:31:57 /usr/lib/systemd/systemd ? ? -1 415
9. 10/17/2020 22:32:45 (null) (none) ? -1 421
...

[root@desk mythcat]# aureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log.4: 10/17/2020 22:30:47.765 - 12/21/2020 15:07:09.820
/var/log/audit/audit.log.3: 12/21/2020 15:07:19.925 - 01/30/2021 12:35:50.328
/var/log/audit/audit.log.2: 01/30/2021 12:37:35.586 - 03/08/2021 08:43:18.974
/var/log/audit/audit.log.1: 03/08/2021 08:43:19.034 - 04/27/2021 22:13:39.212
/var/log/audit/audit.log: 04/27/2021 22:13:39.217 - 05/04/2021 21:30:01.648

[root@desk mythcat]# aureport --login --summary -i

Login Summary Report
============================
total  auid
============================
15  unset
10  mythcat
1  unknown(767779)