Quickly find auditd events by user, program, time or key to investigate security and system issues. 03.07.2026 | reading time: 2 min When an administrator needs to find who did what and when, "ausearch" digs through the auditd records with filters for user, command, PID, time range and more; it turns noisy binary logs into focused evidence fast. Hands-on example Scenario: inspect failed sudo attempts in the last day and show raw audit records. ``` ausearch -c sudo -sv no --start 24h --raw ---- type=SYSCALL msg=audit(1620000000.123:456): arch=c000003e syscall=59 success=no exit=-13 a0=... comm="sudo" exe="/usr/bin/sudo" pid=1234 auid=1001 uid=0 gid=0 ses=2 subj=unconfined key="sudo-fail" type=AVC msg=audit(1620000000.124:457): avc: denied { execute } for pid=1234 comm="sudo" exe="/usr/bin/sudo" scontext=system_u:system_r:sudo_t tcontext=unconfined_u:object_r:bin_t tclass=execute ---- ``` Options to remember Useful filters: "-k" for audit keys, "-m" to restrict message types, "-ua" to filter by auid, "-c" to restrict by command name, "-p" for PID, "-ts"/"--start" and "-te"/"--end" for time ranges, "-sv" to check success or failure and "--raw" or "-i" for raw or interpreted output. Where it shines Use ausearch for incident response, compliance evidence, spotting brute-force or sudo misuse, and for troubleshooting SELinux-related denials by filtering AV C and syscall records; it pairs well with simple scripts to extract timestamps and PIDs for deeper analysis. Nearby tools Complementary utilities include "aureport" for summarized audit reports, "auditctl" to manage rules that generate events, and "journalctl" or SIEM tools to correlate audit records with system logs or external feeds. Takeaway ausearch gives the administrator precise, scriptable access to auditd's event stream, making security investigations and compliance checks practical; deepen that skill and consider exam prep like CompTIA Linux+ or LPIC-1 with focused courses at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security troubleshooting utilities Dieser Artikel wurde mithilfe von KI erstellt.