ausearch-expression - Linux

Overview

ausearch-expression is a powerful tool for searching through the Linux audit log, allowing administrators and security professionals to identify and investigate specific events or activities. It provides flexible and efficient ways to filter and extract audit records based on complex criteria.

Syntax

ausearch-expression [-e <expression>] [-r <regex>] [-n <num>] [-p <policy>] [-f <file>] [-Z] [-s]

Required Parameters

  • -e or -r: Specify search criteria using either a Boolean expression or a regular expression.

Optional Parameters

  • -n: Specify the maximum number of search results to display (default: unlimited).
  • -p: Filter results based on a specific audit policy (e.g., kernel).
  • -f: Read audit records from a specified file instead of the system audit log.
  • -Z: Compress output using GZIP.
  • -s: Print search summary only, without detailed event information.

Options/Flags

| Option/Flag | Description | Default Value |
|—|—|—|
| -e | Specify a Boolean expression for search criteria. | – |
| -r | Specify a regular expression for search criteria. | – |
| -n | Number of search results to display. | Unlimited |
| -p | Filter search results based on audit policy. | All policies |
| -f | Read audit records from a specified file. | System audit log |
| -Z | Compress output using GZIP. | Not compressed |
| -s | Print search summary only. | Detailed event information printed |

Examples

Simple Search

To search for all events related to file access, use:

ausearch-expression -e "type=open"

Complex Boolean Expression

To search for file opens by the user "john" that were denied, use:

ausearch-expression -e "type=open AND subj_user=john AND res=failed"

Regular Expression

To search for events where the pathname contains "important", use:

ausearch-expression -r "pathname:.*important.*"

Advanced Query

To search for all failed login attempts by IP address "192.168.1.10" from a specific policy file, using summary mode and compressed output, use:

ausearch-expression -e "res=failed AND type=login AND ip.src=192.168.1.10" -p /etc/audit/audit.rules -s -Z > search_results.gz

Common Issues

  • Access Denied: Ensure that you have appropriate root or sudo privileges to read audit records.
  • No Results Found: Verify that the search criteria is correct and sufficiently broad.
  • Slow Performance: Complex search expressions can take time to execute, especially with large audit logs.

Integration

ausearch-expression can be combined with other commands or scripts for advanced analysis. For example:

  • grep: Filter search results further using regular expressions.
  • awk: Extract specific fields from search results.
  • bash: Build loops or conditional statements based on search results.

Related Commands

  • auditctl: Manage Linux audit settings.
  • ausearch: Search for events in the audit log using pre-defined query options.
  • grep: Search for patterns in text files, including audit log files.