audit_log_user_message - Linux


audit_log_user_message allows system administrators to add arbitrary messages to the audit log. It is primarily used for recording events or messages that cannot be captured by other audit mechanisms.


audit_log_user_message <message>


  • -k: Key to associate with the message.
  • -a: Architecture type. Default: auditarch
  • -d: Description of the action being performed.
  • -h: Display help message and exit.


Log a message with a custom key:

audit_log_user_message -k system_update "System update completed successfully"

Log a message with an architecture type:

audit_log_user_message -a x86 -d "Installed security patch for x86 architecture"

Log a message with a description:

audit_log_user_message -d "Manually terminated user account with id 1001"

Common Issues

  • Missing privileges: User must have sufficient privileges (e.g., root) to use this command.
  • Invalid key: Ensure the specified key is valid and conforms to the system’s naming conventions.
  • Malformed message: The message should be a valid string without any special characters or syntax errors.


Combining with auditctl: Use audit_log_user_message to supplement audit rules defined using auditctl.

Integrating into scripts: Automate message logging within custom scripts or monitoring systems.

Related Commands

  • ausearch: Search the audit log.
  • auditctl: Configure audit rules.
  • authlog: View the system log file.