Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file.


The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.


To actually search in the audit log file, use the ausearch utility. With the -a parameter an event ID can be given, which is provided as one of the columns in the aureport output. To limit the amount of entries use the -start and/or -end parameters. When using an alternative file instead of the default /var/log/audit/audit.log, then use the -input parameter followed by the file name.


By default the audit log is located in the /var/log/audit directory. Only root has access to this file. Since it is preferred to store this log file also on a central log host, the permissions of both the directory and log file should be adjusted to give the syslog user ID at least read access. Depending on the usage of the system the adm group could get access, or limit it to root only.

drwxr-x- 2 syslog adm          4096 Mar 21 05:33 audit

Remote logging

To remotely log the audit data to a central node, use the file monitor from rsyslog. Example configuration for /etc/rsyslog.conf:

# Added (load file monitor module)
$ModLoad imfile

# Added (at bottom of configuration)
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6


Tip: Depending on the log server software used, make sure to strip out any unwanted columns. This helps in making the files accessible again for the aureport and ausearch utilities.


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon