Linux audit log: dealing with audit.log file

Linux audit log: dealing with audit.log file

The Linux kernel audit framework consists of several components including a daemon, control client, audit rules and Linux audit log. In this article we take additional measures to protect the audit.log file.


The first useful utility to parse the audit.log is aureport. Without parameters it will give a summary of all events. This includes the files, users, audit keys and also items like suspicious events (anomalies). Each sub item can be read independently by using the related parameter.


To actually search in the audit log file, use the ausearch utility. With the -a parameter an event ID can be given, which is provided as one of the columns in the aureport output. To limit the amount of entries use the –start and/or –end parameters. When using an alternative file instead of the default /var/log/audit/audit.log, then use the –input parameter followed by the file name.


By default the audit log is located in the /var/log/audit directory. Only root has access to this file. Since it is preferred to store this log file also on a central log host, the permissions of both the directory and log file should be adjusted to give the syslog user ID at least read access. Depending on the usage of the system the adm group could get access, or limit it to root only.

drwxr-x— 2 syslog adm          4096 Mar 21 05:33 audit

Remote logging

To remotely log the audit data to a central node, use the file monitor from rsyslog. Example configuration for /etc/rsyslog.conf:

# Added (load file monitor module)
$ModLoad imfile

# Added (at bottom of configuration)
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6


Tip: Depending on the log server software used, make sure to strip out any unwanted columns. This helps in making the files accessible again for the aureport and ausearch utilities.

Automate security audits and know your risks
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux and Unix-based systems more secure.

Is system hardening taking a lot of time for you? Don't know where to start? We solved that problem: Lynis Enterprise.