audit_get_reply - Linux


audit_get_reply is a Linux command that allows users to retrieve the response from the kernel’s Audit daemon (auditd). It enables the retrieval of audit messages that have been queued for analysis and reporting, providing valuable information for security monitoring.


audit_get_reply [-a|-d|-e|-g|-i|-q|-s|-t] [<rawfile>] [<format>]


  • -a (active): Retrieve only active audit trail lists.
  • -d (delete): Delete audit trail lists after retrieving them.
  • -e (encode): Encode the reply in character format (default).
  • -g (get): Get list of audit trail records and encode them in character format.
  • -i (inactive): Retrieve only inactive audit trail lists.
  • -q (query): Query underlying APIs for current state (e.g., active threads).
  • -s (selected): Retrieve only audit trail lists with configured riders.
  • -t (tuples): Limit the number of records returned.


Get and print all available audit trail lists:

audit_get_reply | grep -i name

Retrieve only inactive audit trail lists:

audit_get_reply -i

Delete all audit trail lists after retrieving them:

audit_get_reply -d

Common Issues

  • Missing library: Ensure the libelf library is installed.
  • Permission denied: Verify that the user has sufficient privileges to access the audit daemon.


audit_get_reply can be combined with other commands for advanced tasks, such as:

  • sed or awk to filter and process the output.
  • logger to send audit messages to the system log.
  • scripts to automate audit reporting and analysis.

Related Commands

  • auditctl(2) – Manage the Linux audit subsystem.
  • ausearch(8) – Search the audit trail for specific events.
  • auditd(8) – The Linux Audit daemon.