Generating Audit Reports

Search audit data and and generate audit reports with the ausearch and aureport commands.

Stringent auditing requirements generate large amounts of audit data and can impose a significant performance overhead. Some site security policies stipulate that a system must shut down if events can't be recorded because the audit volumes have exceeded their capacity. Sending auditing data to separate file systems in rotation to prevent overspill and to ease backups is considered good practice.

Tagging audit records can make it more straightforward to search an audit volume by running the ausearch command and referring to those tags. For example, to examine records that are tagged with the string sudoers-change, run the following command:

sudo ausearch -k sudoers-change

The aureport command generates summaries of audit data. For example, the following command generates a report that shows every sign-in event from 1 second after midnight on the previous day until the current time:

sudo aureport -l -i -ts yesterday -te now

For more information, see the ausearch(8) and aureport(8) manual pages.

You can also set up cron jobs or systemd timers that run aureport periodically to generate reports of interest. For more information about scheduling those tasks, see Oracle Linux 8: Automating System Tasks With cron and Oracle Linux 8: Managing the System With systemd.