ausearch_add_timestamp_item_ex - Linux

Overview

ausearch_add_timestamp_item_ex allows users to examine timestamps in audit events recorded by the audit system. It provides timestamps associated with the same event and may have additional timestamp information.

Syntax

ausearch_add_timestamp_item_ex [options] [filter_expression]

Options/Flags

  • -f, –filename : The file to read audit records from.
  • -t, –type : The audit type to filter on.
  • -i, –id : The ID of the audit event to search for.
  • -o, –output : The output format to use. Valid values are: plain, json, yaml, xml, csv.
  • -s, –sort : The field to sort the output by. Valid values are: timestamp, id, type, subject, object, reason, outcome.
  • -r, –reverse: Reverse the order of the output.
  • -h, –help: Display help for the command.

Examples

Simple usage

ausearch_add_timestamp_item_ex -t LOGIN

Filtering by ID

ausearch_add_timestamp_item_ex -t LOGIN -i 12345

Sorting the output

ausearch_add_timestamp_item_ex -t LOGIN -s timestamp

Reversing the order of the output

ausearch_add_timestamp_item_ex -t LOGIN -r

Outputting in JSON format

ausearch_add_timestamp_item_ex -t LOGIN -o json

Common Issues

  • No audit records found: Ensure that auditd is running and that the audit records you are looking for are being logged.
  • Invalid filter expression: The filter expression syntax is incorrect. Consult the audit system documentation for valid filter expressions.
  • Invalid output format: The specified output format is not supported. Valid values are plain, json, yaml, xml, csv.

Integration

ausearch_add_timestamp_item_ex can be combined with other Linux commands to perform complex tasks. For example, you can use it to search for audit events and then pipe the output to another command for further processing.

Example: Searching for failed login attempts and sending an alert

ausearch_add_timestamp_item_ex -t LOGIN -o csv | grep -E "outcome=(failure|error)" | mail -s "Failed Login Alert" admin@example.com

Related Commands

  • ausearch: Searches for audit events.
  • auditctl: Controls the Linux audit system.
  • auditd: The Linux audit daemon.