ausearch_add_timestamp_item_ex - Linux
Overview
ausearch_add_timestamp_item_ex allows users to examine timestamps in audit events recorded by the audit system. It provides timestamps associated with the same event and may have additional timestamp information.
Syntax
ausearch_add_timestamp_item_ex [options] [filter_expression]
Options/Flags
- -f, –filename
: The file to read audit records from. - -t, –type
: The audit type to filter on. - -i, –id
: The ID of the audit event to search for. - -o, –output
: The output format to use. Valid values are: plain
,json
,yaml
,xml
,csv
. - -s, –sort
: The field to sort the output by. Valid values are: timestamp
,id
,type
,subject
,object
,reason
,outcome
. - -r, –reverse: Reverse the order of the output.
- -h, –help: Display help for the command.
Examples
Simple usage
ausearch_add_timestamp_item_ex -t LOGIN
Filtering by ID
ausearch_add_timestamp_item_ex -t LOGIN -i 12345
Sorting the output
ausearch_add_timestamp_item_ex -t LOGIN -s timestamp
Reversing the order of the output
ausearch_add_timestamp_item_ex -t LOGIN -r
Outputting in JSON format
ausearch_add_timestamp_item_ex -t LOGIN -o json
Common Issues
- No audit records found: Ensure that auditd is running and that the audit records you are looking for are being logged.
- Invalid filter expression: The filter expression syntax is incorrect. Consult the audit system documentation for valid filter expressions.
- Invalid output format: The specified output format is not supported. Valid values are
plain
,json
,yaml
,xml
,csv
.
Integration
ausearch_add_timestamp_item_ex can be combined with other Linux commands to perform complex tasks. For example, you can use it to search for audit events and then pipe the output to another command for further processing.
Example: Searching for failed login attempts and sending an alert
ausearch_add_timestamp_item_ex -t LOGIN -o csv | grep -E "outcome=(failure|error)" | mail -s "Failed Login Alert" admin@example.com
Related Commands
- ausearch: Searches for audit events.
- auditctl: Controls the Linux audit system.
- auditd: The Linux audit daemon.