zoukankan      html  css  js  c++  java

  • linux audit (9)--生成audit报表

    aureport这个命令可以生成一个总结性的柱状图报表,默认情况下,在/var/log/audit目录下的所有日志文件都会生成一个报表,也可以使用如下命令来指定一个不同的文件,aureport options -if file_name。


    1、按照时间来生成报告:

    ~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00

    2、To generate a report of all executable file events, use the following command:

    ~]# aureport -x

    结果如下所示:

    :~ # aureport -x

Executable Report
====================================
# date time exe term host auid event
====================================
1. 04/18/2018 18:33:56 /usr/lib/systemd/systemd ? ? -1 4
2. 04/18/2018 18:34:01 /usr/sbin/crond cron ? -1 5
3. 04/18/2018 18:34:01 /usr/sbin/crond cron ? -1 6
4. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 8
5. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 9
6. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 10
7. 04/18/2018 18:34:01 /usr/sbin/crond cron ? 0 11
8. 04/18/2018 18:36:01 /usr/sbin/crond cron ? -1 12
9. 04/18/2018 18:36:01 /usr/sbin/crond cron ? -1 13
10. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 15
11. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 16
12. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 17
13. 04/18/2018 18:36:01 /usr/sbin/crond cron ? 0 18
14. 04/18/2018 18:38:01 /usr/sbin/crond cron ? -1 19
15. 04/18/2018 18:38:01 /usr/sbin/crond cron ? -1 20
16. 04/18/2018 18:38:01 /usr/sbin/crond cron ? 0 22

    3、To generate a summary of the executable file event report above, use the following command:

    ~]# aureport -x --summary
    4、To generate a summary report of failed events for all users, use the following command:
    ~]# aureport -u --failed --summary -i
    5、To generate a summary report of all failed login attempts per each system user, use the following command:
    ~]# aureport --login --summary -i

    6、To generate a report from an ausearch query that searches all file access events for user ID 1000, use the following command:

    ~]# ausearch --start today --loginuid 1000 --raw | aureport -f --summary

    7、To generate a report of all Audit files that are queried and the time range of events they include, use the following command:

    ~]# aureport -t

    For a full listing of all aureport options, see the aureport(8) man page.
  • 相关阅读:
    RabbitMQ
    连接池,为什么要使用连接池?
    mac 安装arcanist
    感触
    UDP socket
    Servlet过滤器
    PL、SQL
    springmvc 文件上传实现(不是服务器的)
    注解spring
    excel工具类
  • 原文地址:https://www.cnblogs.com/xingmuxin/p/8876145.html
Copyright © 2011-2022 走看看