4

I am trying to use the ausearch tool search my auditd logs for specific entries.

The problem is that most of the entries in audit.log appear to be unsearchable. Searching with matching parameters often returns <no matches>, even though there is a matching entry in the log.

For example, here is a sample entry from /var/log/audit/audit.log:

type=SYSCALL msg=audit(1440053711.929:69343): arch=c000003e syscall=59 success=yes exit=0 a0=7f2abbb5d328 a1=7f2abbb5d1a0 a2=7f2abbb5d1c0 a3=7f2abb8199d0 items=0 ppid=16908 pid=16911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" key=(null)

And here is the output of sudo ausearch -a 69343:

user@host:~$ sudo ausearch -a 69343
<no matches>

Same occurs if the file is specified:

user@host:~$ sudo ausearch -a 69343 -if /var/log/audit/audit.log
<no matches>

This is not limited to the -a parameter:

user@host:~$ sudo ausearch -c rm
----
time->Sat Aug 22 11:09:50 2015
type=SERVICE_START msg=audit(1440266990.836:263): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="apparmor" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Sat Aug 22 16:52:40 2015
type=SERVICE_START msg=audit(1440287560.408:264): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="apparmor" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Sat Aug 22 18:42:12 2015
type=SERVICE_START msg=audit(1440294132.412:253): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="apparmor" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Mon Aug 24 15:13:21 2015
type=SERVICE_START msg=audit(1440454401.484:253): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="apparmor" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

(Notice that the event in question is not in the output.)

user@host:~$ sudo ausearch -m SYSCALL | grep 69343
user@host:~$ sudo ausearch -p 16911
<no matches> 
user@host:~$ sudo ausearch -pp 16908
<no matches>

What am I doing wrong?

EDIT: The raw output of ausearch also leaves out said entries:

user@host:~$ sudo ausearch -r -p 16911
user@host:~$
user339676
  • 171
  • 5

0 Answers0