ausearch_clear - Linux

Overview

ausearch_clear is a privileged command used to remove filtered audit records from audit caches. It operates on audit records that have been matched by the ausearch command.

Syntax

ausearch_clear [-h] [-a] [-p] [-e] [-n] [-H HANDLE] [-f PATTERN] [-s] [-d] [-x] [-i] [-b]

Options/Flags

• -h, –help: Display the help message.
• -a, –all: Clear all audit records.
• -p, –pending: Clear pending audit records.
• -e, –error: Clear error audit records.
• -n, –new: Clear new audit records.
• -H HANDLE, –handle HANDLE: Handle to the audit session.
• -f PATTERN, –pattern PATTERN: Pattern to match against path name.
• -s, –success: Include successful audit records.
• -d, –describe: Display the audit record.
• -x, –exclude: Exclude audit records that match PATTERN.
• -i, –include: Include audit records that match PATTERN.
• -b, –backlog: Clear the audit backlog.

Examples

Clear all audit records:

ausearch_clear -a

Clear pending audit records:

ausearch_clear -p

Clear new audit records:

ausearch_clear -n

Clear audit records matching a specific pattern:

ausearch_clear -f /home/user

Clear successful audit records:

ausearch_clear -s

Common Issues

Errors:

• Permission denied: Ensure that you have sufficient permissions to run the command.
• Invalid pattern: Verify that the specified pattern is valid.

Integration

ausearch_clear can be used in conjunction with other Linux audit commands such as ausearch to filter and manage audit records.

Related Commands

• ausearch
• auditctl