auparse_get_field_name - Linux


auparse_get_field_name is a command-line utility used to extract field names from an audit log event in the Linux Audit Framework. It provides a convenient way to retrieve field names, which are needed for constructing audit rules and analyzing audit logs.


auparse_get_field_name [--ns-format <namespace_format>] <log_or_key> [<key>...]


  • –ns-format: Specifies the namespace format for the field names. Default is short.
    • short: Return field names in short format (e.g., subj_user).
    • long: Return field names in long format (e.g., subject.user).
    • full: Return field names in full format (e.g., subject.username).


Simple Usage

To retrieve the field name for the subject’s user:

auparse_get_field_name subj_user

Namespace Format

To get the field name for the subject’s user in long format:

auparse_get_field_name --ns-format long subj_user

Multiple Fields

To retrieve field names for multiple keys:

auparse_get_field_name subj_user obj_type

Common Issues

No output: Ensure that the provided log or key names are correct.

Unexpected namespace format: Specify the desired namespace format using the --ns-format option.


Auditd Rules: auparse_get_field_name can be used to construct audit rules that specify field values.

Log Analysis: The field names obtained from auparse_get_field_name can be used to parse and analyze audit logs effectively.

Related Commands

  • ausearch: Search for specific events in the audit log.
  • auread: Read audit records from the kernel.
  • aurender: Render audit records in human-readable format.