auditd — quick reference
auditd service
The auditd daemon writes kernel audit events to /var/log/audit/audit.log.
| When to use | Command |
|---|---|
| Check auditd status | sudo systemctl status auditd |
| Start auditd | sudo systemctl start auditd |
| Enable auditd at boot | sudo systemctl enable auditd |
| Reload auditd after config change | sudo systemctl reload auditd |
| Rotate logs immediately | sudo service auditd rotate |
On Rocky Linux 10, auditctl and augenrules ship in the audit-rules package (install alongside audit).
auditctl — list and manage rules
| When to use | Command |
|---|---|
| List active audit rules | sudo auditctl -l |
| Delete all rules (lab only) | sudo auditctl -D |
| Watch a file for writes and attribute changes | sudo auditctl -w /etc/passwd -p wa -k passwd_changes |
| Log all execve syscalls | sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_log |
| Log failed privileged commands | sudo auditctl -a always,exit -F arch=b64 -S all -F euid=0 -F exit=-EPERM -k privileged_fail |
| Show kernel audit status | sudo auditctl -s |
augenrules — persistent rules
| When to use | Command |
|---|---|
Check rule files under /etc/audit/rules.d/ |
sudo augenrules --check |
| Merge and load rules into the kernel | sudo augenrules --load |
| View generated rules file | sudo cat /etc/audit/audit.rules |
Place drop-in snippets in /etc/audit/rules.d/*.rules, then run augenrules --load.
ausearch — query the audit log
| When to use | Command |
|---|---|
| Search events from the last 10 minutes | sudo ausearch --start recent |
| Search by key name | sudo ausearch -k KEY |
| Search by audit event ID | sudo ausearch -a EVENT_ID |
| Search by username | sudo ausearch -ui USERNAME |
| Search failed syscalls | sudo ausearch --success no |
| Human-readable field decoding | sudo ausearch -i --start today |
| Search file-related events | sudo ausearch -f /etc/passwd |
aureport — summarized reports
| When to use | Command |
|---|---|
| Authentication summary | sudo aureport -au --summary |
| Executable summary | sudo aureport -x --summary |
| File access summary | sudo aureport -f --summary |
| Failed events only | sudo aureport --failed |
| AVC (SELinux) denials | sudo aureport -avc |
| Config change report | sudo aureport -c |
Helper tools
| When to use | Command |
|---|---|
| Map syscall name to number | ausyscall open |
| Show audit log path | grep log_file /etc/audit/auditd.conf |
auditd — command syntax
auditd daemon usage from Rocky Linux 10.2:
Usage: auditd [-f] [-l] [-n] [-s disable|enable|nochange] [-c <config_file>]auditctl accepts rule definitions on the command line; there is no --help flag on all builds — see the man page for full syntax.
ausearch synopsis (truncated from ausearch --help):
usage: ausearch [options]
-a,--event <Audit event id> search based on audit event id
-c,--comm <Comm name> search based on command line name
-f,--file <File name> search based on file name
-k,--key <key string> search based on key field
-ui,--uid <User Id> search based on user id
--start recent|today|...
-i,--interpret interpret results to be human readableAudit events land in /var/log/audit/audit.log (path set in /etc/audit/auditd.conf). Rules you add with auditctl are runtime until merged into /etc/audit/audit.rules via augenrules.
auditd — command examples
Essential Confirm auditd is running
If the daemon is stopped, the kernel may queue events briefly but you lose reliable long-term logging.
Run the command:
sudo systemctl status auditd --no-pagerSample output:
● auditd.service - Security Audit Logging Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Active: active (running) since Mon 2026-07-13 19:02:25 IST; 10min ago
Docs: man:auditd(8)
Main PID: 813 (auditd)active (running) means new rules and searches work against a live log stream.
Essential List active audit rules
An empty rule set still logs some events, but file watches and custom keys require explicit rules.
Run the command:
sudo auditctl -lSample output:
No rulesThat is normal on a fresh lab host before you load /etc/audit/rules.d/ snippets.
Essential Watch /etc/passwd for writes and metadata changes
File watches help you catch account database edits — common compliance and incident-response requirement.
Add the watch:
sudo auditctl -w /etc/passwd -p wa -k passwd_changesList to confirm:
sudo auditctl -lSample output:
-w /etc/passwd -p wa -k passwd_changesThe -p wa permissions mean write and attribute changes. The -k key groups matching events in ausearch.
Clean up in the lab with sudo auditctl -D (removes all rules) or merge equivalent lines into /etc/audit/rules.d/ for persistence.
Common Search the log by audit key
After a watch fires, find related records with the same key you assigned in auditctl.
Run the command:
sudo ausearch -k passwd_changes --start recent 2>&1 | head -12Sample output:
----
time->Mon Jul 13 19:11:54 2026
type=PROCTITLE msg=audit(1783950114.140:412): proctitle=617564697463746C002D77002F6574632F706173737764002D70007761002D6B007061737377645F6368616E676573
type=SYSCALL msg=audit(1783950114.140:412): arch=c000003e syscall=44 success=yes exit=1084 ... comm="auditctl" exe="/usr/sbin/auditctl" ... key=(null)
type=CONFIG_CHANGE msg=audit(1783950114.140:412): ... op=add_rule key="passwd_changes" list=4 res=1CONFIG_CHANGE with key="passwd_changes" shows the rule was added. Use -i for decoded paths and usernames.
Common Summarize authentication events
aureport aggregates raw logs — faster than scrolling audit.log for login trends.
Run the command:
sudo aureport -au --summarySample output:
Authentication Summary Report
=============================
total acct
=============================
383 ansible
66 root
5 vncuserThe acct column is the username field from audit records. Pair with ausearch -m USER_LOGIN --start today for individual events.
Common Find recent SSH login events
Message type filters narrow results to authentication-related records.
Run the command:
sudo ausearch -m USER_LOGIN --start recent 2>&1 | head -8Sample output:
----
time->Mon Jul 13 19:04:08 2026
type=USER_LOGIN msg=audit(1783949648.247:150): pid=1782 uid=0 auid=0 ses=2 ... msg='op=login id=0 exe="/usr/libexec/openssh/sshd-session" ... res=success'res=success vs res=failed tells you whether the attempt worked — useful when correlating with journalctl SSH unit logs.
Advanced Load persistent rules from rules.d
Production hosts keep rules in /etc/audit/rules.d/ and load them at boot through augenrules.
Check for pending changes:
sudo augenrules --checkSample output:
/usr/sbin/augenrules: No changeApply merged rules:
sudo augenrules --load 2>&1 | tail -4Sample output:
backlog 9
backlog_wait_time 60000
backlog_wait_time_actual 0Inspect the generated file:
sudo tail -5 /etc/audit/audit.rulesEdit drop-ins under rules.d, not audit.rules directly — augenrules overwrites the merged file.
Advanced Look up syscall numbers for rule writing
Custom auditctl rules often reference syscall names — ausyscall maps them to numbers.
Run the command:
ausyscall openSample output:
open 2Use the name in rules (-S open) or the number on older examples. ausyscall --dump lists the full table.
Common File access summary report
See which paths generate the most audit noise before tuning rules.
Run the command:
sudo aureport -f --summary 2>&1 | head -10Sample output:
File Summary Report
===========================
total file
===========================
6 /
4 (null)
2 /root/.cursor-server/data/logs/20260713T190410/remoteagent.logHigh counts on unexpected paths suggest rules that are too broad — refine watches or exclude noisy directories.
auditd — when to use / when not
| Use auditd when | Use something else when |
|---|---|
|
|
auditd vs journalctl
| auditd / ausearch | journalctl | |
|---|---|---|
| Source | Kernel audit subsystem | systemd-journald |
| Strength | Security events, syscalls, file watches, immutable trail | Service logs, kernel console, boot sessions |
| Query tools | ausearch, aureport | journalctl filters |
| Typical use | Compliance, forensics, privileged activity | Operations, app debugging |
Use both: journalctl for why a service failed; ausearch for who changed a protected file.
Related commands
Tools in the same logging and hardening workflow.
| Command | One line |
|---|---|
| auditctl | Audit rules and search (this page) |
| journalctl | systemd journal queries |
| systemctl | Manage the auditd unit |
| tcpdump | Capture network traffic |
Browse the full index in our Linux commands reference.
auditd — interview corner
What does auditd do on Linux?
auditd is the userspace daemon for the Linux Audit Framework. The kernel emits records for syscalls, path watches, authentication, and configuration changes; auditd writes them to /var/log/audit/audit.log.
Administrators define what to log with auditctl or files in /etc/audit/rules.d/, then search with ausearch or summarize with aureport.
A strong answer is:
"auditd collects kernel audit events into /var/log/audit/audit.log — I define policy with auditctl or rules.d, then search with ausearch for security and compliance investigations."
What is an audit key (-k) used for?
The key string tags matching events so you can find them quickly:
sudo auditctl -w /etc/shadow -p wa -k shadow_watch
sudo ausearch -k shadow_watch --start todayWithout keys, you rely on raw paths and syscall fields — harder during incidents.
A strong answer is:
"The -k key labels audit events — I use the same key in ausearch -k to pull every record from a watch or syscall rule."
What is the difference between auditctl and augenrules?
auditctl changes runtime rules immediately — lost on reboot unless saved.
augenrules reads /etc/audit/rules.d/*.rules, builds /etc/audit/audit.rules, and loads into the kernel — the persistent path on RHEL.
A strong answer is:
"auditctl is for live testing; augenrules merges rules.d into audit.rules and loads them — that's how rules survive reboot on RHEL."
How is auditd different from journald?
journald collects service output, kernel printk, and structured metadata for operations.
auditd records security-relevant kernel audit records — execve, file watches, login events — in a separate tamper-oriented log.
They complement each other; neither replaces the other for compliance-focused syscall auditing.
A strong answer is:
"journald is for operational service logs; auditd is the kernel audit trail for security events — file changes, privileged commands, and auth. I use both."
What happens if audit backlog fills up?
The kernel queues audit events in a buffer. If auditd falls behind or the buffer fills, the kernel may lose events or hold processes depending on /etc/audit/auditd.conf settings (max_log_file, space_left_action, disk_full_action).
Check status:
sudo auditctl -sTune disk rotation and backlog settings before high-volume rules.
A strong answer is:
"If the audit backlog fills, events can be lost or processes can block — I monitor auditctl -s and size auditd.conf disk actions before deploying noisy rules."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
auditctl: command not found |
audit-rules package not installed (Rocky 10 split) |
sudo dnf install audit audit-rules |
No rules after reboot |
Rules never in rules.d |
Add *.rules snippets; augenrules --load; enable auditd |
Empty ausearch results |
Wrong time window or key typo | Widen --start; verify key with auditctl -l |
| Log disk full | High-volume rules | Rotate (service auditd rotate); prune rules; raise disk actions in auditd.conf |
auditd fails to start |
Syntax error in merged rules | augenrules --check; test with auditctl -l after load |
| Too many events on one file | Broad -w on busy paths |
Narrow paths; use keys; exclude temporary directories |
| Cannot delete watch rule | Delete syntax differs from add | Use auditctl -D in lab; in production reload from corrected rules.d |
References
- auditd man page{target="_blank" rel="noopener"} — audit daemon
- auditctl man page{target="_blank" rel="noopener"} — live rule management
- ausearch man page{target="_blank" rel="noopener"} — log search
- Linux Audit documentation{target="_blank" rel="noopener"} — upstream project docs
- journalctl cheat sheet — systemd journal queries
- Linux commands cheat sheet — full command index

