Which is the best tool to analyze Audit.log

Latest response

HI

Which is the Best tool to analyze Audit log, i have tried access lab log analyzer and it's not detecting the format.

Regards,
Ben

Responses

Hi,

cat /var/log/audit/audit.log | audit2why

So far...

There's a lot of ways to parse through audit logs depending on what you want and what you have, but built-in tools are just as powerful as expensive SIEM solutions which usually just make pretty the output for faster and easier correlation ... some tools part of RHEL are aureport, ausearch, aulast, aulastlog, ausyscall, autrace, auvirt, auformat and auparse.

aureport is probably the place you will want to start,

Bradley mentioned all the tools, though some of them aren't available in RHEL's audit package.

[root@a72 ~]# rpm -ql audit | grep bin/
/sbin/audispd
/sbin/auditctl
/sbin/auditd
/sbin/augenrules
/sbin/aureport
/sbin/ausearch
/sbin/autrace
/usr/bin/aulast
/usr/bin/aulastlog
/usr/bin/ausyscall
/usr/bin/auvirt

They each have man pages. What's best for you totally depends on what you're inspecting the audit.log for... e.g., if you're interested in SELinux events, you want aureport -a and ausearch -m avc and audit2why and audit2allow and sealert and, well, just take a look here if that's really what you're interested in: bit.ly/selinux7.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.