audit_syscall_to_name - Linux


audit_syscall_to_name converts a syscall number into its corresponding syscall name. This command is typically used in conjunction with auditd to provide more human-readable information about system calls made by processes.


audit_syscall_to_name [syscall_number] [syscall_name]


  • -h, –help: Print usage information and exit.
  • -v, –version: Print version information and exit.
  • -r, –reverse: Translate syscall names to their corresponding numbers.


Example 1: Convert a syscall number to a name

Convert syscall number 2 to its corresponding name:

$ audit_syscall_to_name 2

Example 2: Convert a syscall name to a number

Convert syscall name "openat" to its corresponding number:

$ audit_syscall_to_name -r openat

Common Issues

Issue: audit_syscall_to_name does not recognize the provided syscall number or name.

Solution: Ensure that the syscall number or name is valid. Refer to the auditd man page or documentation for a list of valid syscalls.


audit_syscall_to_name can be used with auditd to create rules that monitor specific system calls. For example, the following rule monitors all calls to the open syscall:

-a exit,always -F auid>=1000 -S open

Related Commands