ausearch_clear - Linux
Overview
ausearch_clear is a privileged command used to remove filtered audit records from audit caches. It operates on audit records that have been matched by the ausearch command.
Syntax
ausearch_clear [-h] [-a] [-p] [-e] [-n] [-H HANDLE] [-f PATTERN] [-s] [-d] [-x] [-i] [-b]
Options/Flags
- -h, –help: Display the help message.
- -a, –all: Clear all audit records.
- -p, –pending: Clear pending audit records.
- -e, –error: Clear error audit records.
- -n, –new: Clear new audit records.
- -H HANDLE, –handle HANDLE: Handle to the audit session.
- -f PATTERN, –pattern PATTERN: Pattern to match against path name.
- -s, –success: Include successful audit records.
- -d, –describe: Display the audit record.
- -x, –exclude: Exclude audit records that match PATTERN.
- -i, –include: Include audit records that match PATTERN.
- -b, –backlog: Clear the audit backlog.
Examples
Clear all audit records:
ausearch_clear -a
Clear pending audit records:
ausearch_clear -p
Clear new audit records:
ausearch_clear -n
Clear audit records matching a specific pattern:
ausearch_clear -f /home/user
Clear successful audit records:
ausearch_clear -s
Common Issues
Errors:
- Permission denied: Ensure that you have sufficient permissions to run the command.
- Invalid pattern: Verify that the specified pattern is valid.
Integration
ausearch_clear can be used in conjunction with other Linux audit commands such as ausearch to filter and manage audit records.