Ubuntu - Auditing - View audit reports

aureport is a tool that produces summary reports of the audit system log.

Without any parameters, aureport will generate a summary report of audit activity.

sudo aureport

result:

Summary Report
======================
Range of time in logs: 16/07/16 01:32:46.053 - 16/07/16 10:34:01.482
Selected time for report: 16/07/16 01:32:46 - 16/07/16 10:34:01.482
Number of changes in configuration: 2
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 4
Number of terminals: 14
Number of host names: 6
Number of executables: 107
Number of commands: 155
Number of files: 186
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 33
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 8
Number of process IDs: 29325
Number of events: 31471

This shows some important information.

For example, it shows that there was a failed authentication.


Using aureport, we can drill down to that information.

We can use this command to look deeper on failed authentication:

sudo aureport -au

result:

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 16/07/16 07:21:50 anonymous ::ffff:198.20.70.114 ftp /usr/sbin/vsftpd no 3104248
2. 16/07/16 09:07:47 peter ? /dev/pts/0 /usr/bin/sudo yes 3106600
3. 16/07/16 10:33:53 peter ? /dev/pts/0 /usr/bin/sudo yes 3107479

Row 1 has a “no” near the end of the line, which indicates that authentication failed.


Use the -m parameter.

sudo areport -m

result:

=================================================
# date time auid addr term exe acct success event
=================================================
<no events of interest were found>