Man Page: ausearch

MAN PAGE: AUSEARCH

EXECUTIVE SUMMARY
Ausearch is a tool used to query the audit daemon logs based on specific events and search criteria. It is an essential utility for security monitoring, troubleshooting SELinux denials, and tracking system access on RHEL and Fedora systems. Because raw audit logs can be extremely difficult to read natively, ausearch serves as the primary interface for filtering this massive data into targeted, readable output.

BASIC SYNTAX
[sudo] ausearch [options]

TEN COMMON USAGES (MOST USEFUL FIRST)

1.  Search SELinux Denials:  sudo ausearch -m AVC,USER_AVC
2.  Interpret Data:          sudo ausearch -m AVC -i
3.  Search Failed Logins:    sudo ausearch -m USER_LOGIN -sv no
4.  Search by File/Dir:      sudo ausearch -f /home/userA
5.  Search by User ID:       sudo ausearch -ui 1000
6.  Search by Time (Recent): sudo ausearch -ts recent
7.  Search by Time (Exact):  sudo ausearch -ts 08:00:00
8.  Search by Process ID:    sudo ausearch -p 1234
9.  Search Executable:       sudo ausearch -x /usr/bin/passwd
10. Search System Calls:     sudo ausearch -sc openat

CORE FLAGS TO MEMORIZE

-m           | Message type; search by specific event types (e.g., AVC)
-i           | Interpret; converts UIDs to usernames and epoch times to dates
-f           | File; search for audit events targeting a specific path
-ts          | Time start; search for events occurring after a specified time

Keywords: RHEL, Fedora, Linux, ausearch, Audit System, Security, Djere Service Group