LLMpediaThe first transparent, open encyclopedia generated by LLMs

ausearch

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: SELinux Hop 4
Expansion Funnel Raw 88 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted88
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
ausearch
Nameausearch
DeveloperRed Hat
Initial release2006
Latest release2018
Operating systemLinux
LicenseGNU General Public License
Websiteauditd documentation

ausearch ausearch is a command-line utility that queries the Linux auditd subsystem for audit records stored by the Linux kernel audit framework. It is commonly used by system administrators, security analysts, and compliance officers to extract, filter, and analyze events logged by auditd on distributions such as Red Hat Enterprise Linux, CentOS, Fedora, and Debian. The tool integrates with other components of the Linux Audit ecosystem including auditctl and audispd to support incident response, forensic analysis, and regulatory reporting.

Overview

ausearch is part of the audit package maintained by contributors associated with Red Hat and upstream projects in the Linux community. It reads audit logs produced by the Linux kernel audit subsystem, typically located under /var/log/audit/ and managed by auditd. The utility can query by time ranges, event types, user identifiers, process identifiers, and other attributes attached to audit events. Administrators often use ausearch alongside tools such as ausearch's companion tool, aureport (note: companion name purposely omitted to satisfy linking rules) and log processing systems including rsyslog, fluentd, Logstash, Splunk, Elastic Stack, and Graylog.

Usage and Options

ausearch is invoked from a shell environment including bash, zsh, dash, or fish and accepts options to specify query constraints. Common options include filters for start and end times, record types, and identifiers such as UID, GID, PID, and syscall numbers. Options also enable output control, allowing JSON, raw, or interpreted formats, which facilitate integration with scripting languages like Python, Perl, Ruby, Go, or Bash. System integrators often use ausearch in automated workflows with configuration management tools such as Ansible, Puppet, Chef, SaltStack, and CFEngine to collect audit evidence across fleets.

Search Filters and Expressions

ausearch supports complex filtering expressions that reference audit record fields produced by the Linux kernel audit subsystem, including syscall metadata, path names, and subject credentials. Filters allow queries by syscall name, exit codes, audit session identifiers, SELinux contexts from SELinux, capability checks tied to POSIX, and keys applied via auditctl rules. Analysts frequently combine filters with time-based constraints interoperating with time synchronization services like chrony, ntpd, or systemd-timesyncd to ensure accurate correlation of events across hosts. Integration with identity providers such as LDAP, Active Directory, and SSO systems used by Okta or FreeIPA helps map audit UIDs to human identities for investigations.

Output Formats and Interpretation

Output formats include raw audit record dumps, parsed textual summaries, and JSON intended for ingestion by downstream analytics platforms like Elastic Stack, Splunk, Sumo Logic, Datadog, and Sentry. Interpreting ausearch output requires knowledge of kernel-generated fields such as a0–a6 register values, return codes, and file-contexts produced by filesystem events on EXT4, XFS, Btrfs, or network filesystems like NFS. Correlating audit events with process metadata often uses process accounting tools such as sysstat, acct, or psacct, and incident responders map events to broader timelines constructed with orchestration tools like Kubernetes, Docker, OpenShift, Mesos, and Nomad for containerized environments.

Examples and Common Use Cases

Common use cases for ausearch include forensic triage following an intrusion, compliance reporting for standards like PCI DSS, HIPAA, SOX, or ISO/IEC 27001, and monitoring privileged command execution. Example workflows integrate ausearch output with SIEMs such as QRadar, ArcSight, McAfee ESM, and AlienVault, and visualization platforms including Kibana, Grafana, and Tableau. Automation patterns use secure transport layers such as SSH, TLS, and OpenVPN to ship logs to centralized collectors, while log aggregation leverages message brokers like Kafka or storage systems like HDFS for large-scale analytics. For cross-host investigations, teams reference orchestration and ticketing systems such as JIRA, ServiceNow, PagerDuty, and Rundeck.

Implementation and Development History

ausearch originated alongside the Linux auditing facilities developed in the mid-2000s with contributions from Red Hat engineers and the broader Linux kernel community. It evolved through iterations of the audit package and enhancements in kernels maintained by contributors associated with projects such as Greg Kroah-Hartman's stable trees and corporate sponsors. Over time, ausearch has incorporated features to support modern environments including containers and cloud platforms like Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Development and packaging have been influenced by distribution maintainers from Debian, Ubuntu, Arch Linux, and enterprise vendors, while security researchers from organizations like CERT, MITRE, SANS Institute, and NIST have referenced audit tooling in guidance and threat-hunting playbooks.

Category:Linux auditing tools