auparse_get_record_num - Linux


auparse_get_record_num parses an audit record and retrieves the record number field. This is useful for identifying and matching specific audit records, especially when working with large audit logs.


auparse_get_record_num [OPTIONS] [--silent] <AUDIT_RECORD>




Extract the record number from an audit record:

auparse_get_record_num -i /var/log/audit/audit.log

Save the record number to a variable:

RECORD_NUM=$(auparse_get_record_num -i /var/log/audit/audit.log)

Use the record number in a script:

if [ "$RECORD_NUM" -gt 10000 ]; then
  echo "High-numbered record detected"

Common Issues

  • Ensure that the provided audit record is valid and in the correct format.
  • Check permissions to access the audit record file.
  • Verify that the audit record number is not too large or too small.


auparse_get_record_num can be used with other Linux commands and tools to analyze and process audit logs:

  • grep to filter records based on record number
  • awk to extract and format record numbers
  • sed to modify or remove record numbers

Related Commands

  • ausearch
  • ausearch -f
  • auditctl