auditd Commands in Linux: auditctl, ausearch & aureport (RHEL/Fedora/Rocky)

The Linux audit framework logs security-relevant events through auditd. Use auditctl to define rules, ausearch to query the audit log, and aureport for summaries — with augenrules to load persistent policy on RHEL-family systems.

Published

Updated

Read time 9 min read

Reviewed byDeepak Prasad

auditd Commands in Linux: auditctl, ausearch & aureport (RHEL/Fedora/Rocky)
About The Linux audit framework logs security-relevant events through auditd. Use auditctl to define rules, ausearch to query the audit log, and aureport for summaries — with augenrules to load persistent policy on RHEL-family systems.
Tested on Rocky Linux 10.2 (Red Quartz); audit 4.0.3; kernel 6.12.0-211.28.1.el10_2.x86_64
Man page auditctl(8)
Privilege root / sudo
Distros

RHEL, Rocky Linux, AlmaLinux, CentOS Stream, and Fedora (auditd enabled by default on many installs).

Rocky Linux 10 splits auditctl and augenrules into the audit-rules package alongside audit.

Application and service logs: journalctl.

Related guide

auditd — quick reference

auditd service

The auditd daemon writes kernel audit events to /var/log/audit/audit.log.

When to use Command
Check auditd status sudo systemctl status auditd
Start auditd sudo systemctl start auditd
Enable auditd at boot sudo systemctl enable auditd
Reload auditd after config change sudo systemctl reload auditd
Rotate logs immediately sudo service auditd rotate

On Rocky Linux 10, auditctl and augenrules ship in the audit-rules package (install alongside audit).

auditctl — list and manage rules

When to use Command
List active audit rules sudo auditctl -l
Delete all rules (lab only) sudo auditctl -D
Watch a file for writes and attribute changes sudo auditctl -w /etc/passwd -p wa -k passwd_changes
Log all execve syscalls sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_log
Log failed privileged commands sudo auditctl -a always,exit -F arch=b64 -S all -F euid=0 -F exit=-EPERM -k privileged_fail
Show kernel audit status sudo auditctl -s

augenrules — persistent rules

When to use Command
Check rule files under /etc/audit/rules.d/ sudo augenrules --check
Merge and load rules into the kernel sudo augenrules --load
View generated rules file sudo cat /etc/audit/audit.rules

Place drop-in snippets in /etc/audit/rules.d/*.rules, then run augenrules --load.

ausearch — query the audit log

When to use Command
Search events from the last 10 minutes sudo ausearch --start recent
Search by key name sudo ausearch -k KEY
Search by audit event ID sudo ausearch -a EVENT_ID
Search by username sudo ausearch -ui USERNAME
Search failed syscalls sudo ausearch --success no
Human-readable field decoding sudo ausearch -i --start today
Search file-related events sudo ausearch -f /etc/passwd

aureport — summarized reports

When to use Command
Authentication summary sudo aureport -au --summary
Executable summary sudo aureport -x --summary
File access summary sudo aureport -f --summary
Failed events only sudo aureport --failed
AVC (SELinux) denials sudo aureport -avc
Config change report sudo aureport -c

Helper tools

When to use Command
Map syscall name to number ausyscall open
Show audit log path grep log_file /etc/audit/auditd.conf

auditd — command syntax

auditd daemon usage from Rocky Linux 10.2:

text
Usage: auditd [-f] [-l] [-n] [-s disable|enable|nochange] [-c <config_file>]

auditctl accepts rule definitions on the command line; there is no --help flag on all builds — see the man page for full syntax.

ausearch synopsis (truncated from ausearch --help):

text
usage: ausearch [options]
  -a,--event <Audit event id>    search based on audit event id
  -c,--comm  <Comm name>          search based on command line name
  -f,--file  <File name>         search based on file name
  -k,--key  <key string>         search based on key field
  -ui,--uid <User Id>            search based on user id
  --start recent|today|...
  -i,--interpret                  interpret results to be human readable

Audit events land in /var/log/audit/audit.log (path set in /etc/audit/auditd.conf). Rules you add with auditctl are runtime until merged into /etc/audit/audit.rules via augenrules.


auditd — command examples

Essential Confirm auditd is running

If the daemon is stopped, the kernel may queue events briefly but you lose reliable long-term logging.

Run the command:

bash
sudo systemctl status auditd --no-pager

Sample output:

text
● auditd.service - Security Audit Logging Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2026-07-13 19:02:25 IST; 10min ago
       Docs: man:auditd(8)
   Main PID: 813 (auditd)

active (running) means new rules and searches work against a live log stream.

Essential List active audit rules

An empty rule set still logs some events, but file watches and custom keys require explicit rules.

Run the command:

bash
sudo auditctl -l

Sample output:

text
No rules

That is normal on a fresh lab host before you load /etc/audit/rules.d/ snippets.

Essential Watch /etc/passwd for writes and metadata changes

File watches help you catch account database edits — common compliance and incident-response requirement.

Add the watch:

bash
sudo auditctl -w /etc/passwd -p wa -k passwd_changes

List to confirm:

bash
sudo auditctl -l

Sample output:

text
-w /etc/passwd -p wa -k passwd_changes

The -p wa permissions mean write and attribute changes. The -k key groups matching events in ausearch.

Clean up in the lab with sudo auditctl -D (removes all rules) or merge equivalent lines into /etc/audit/rules.d/ for persistence.

Common Search the log by audit key

After a watch fires, find related records with the same key you assigned in auditctl.

Run the command:

bash
sudo ausearch -k passwd_changes --start recent 2>&1 | head -12

Sample output:

text
----
time->Mon Jul 13 19:11:54 2026
type=PROCTITLE msg=audit(1783950114.140:412): proctitle=617564697463746C002D77002F6574632F706173737764002D70007761002D6B007061737377645F6368616E676573
type=SYSCALL msg=audit(1783950114.140:412): arch=c000003e syscall=44 success=yes exit=1084 ... comm="auditctl" exe="/usr/sbin/auditctl" ... key=(null)
type=CONFIG_CHANGE msg=audit(1783950114.140:412): ... op=add_rule key="passwd_changes" list=4 res=1

CONFIG_CHANGE with key="passwd_changes" shows the rule was added. Use -i for decoded paths and usernames.

Common Summarize authentication events

aureport aggregates raw logs — faster than scrolling audit.log for login trends.

Run the command:

bash
sudo aureport -au --summary

Sample output:

text
Authentication Summary Report
=============================
total  acct
=============================
383  ansible
66  root
5  vncuser

The acct column is the username field from audit records. Pair with ausearch -m USER_LOGIN --start today for individual events.

Common Find recent SSH login events

Message type filters narrow results to authentication-related records.

Run the command:

bash
sudo ausearch -m USER_LOGIN --start recent 2>&1 | head -8

Sample output:

text
----
time->Mon Jul 13 19:04:08 2026
type=USER_LOGIN msg=audit(1783949648.247:150): pid=1782 uid=0 auid=0 ses=2 ... msg='op=login id=0 exe="/usr/libexec/openssh/sshd-session" ... res=success'

res=success vs res=failed tells you whether the attempt worked — useful when correlating with journalctl SSH unit logs.

Advanced Load persistent rules from rules.d

Production hosts keep rules in /etc/audit/rules.d/ and load them at boot through augenrules.

Check for pending changes:

bash
sudo augenrules --check

Sample output:

text
/usr/sbin/augenrules: No change

Apply merged rules:

bash
sudo augenrules --load 2>&1 | tail -4

Sample output:

text
backlog 9
backlog_wait_time 60000
backlog_wait_time_actual 0

Inspect the generated file:

bash
sudo tail -5 /etc/audit/audit.rules

Edit drop-ins under rules.d, not audit.rules directly — augenrules overwrites the merged file.

Advanced Look up syscall numbers for rule writing

Custom auditctl rules often reference syscall names — ausyscall maps them to numbers.

Run the command:

bash
ausyscall open

Sample output:

text
open               2

Use the name in rules (-S open) or the number on older examples. ausyscall --dump lists the full table.

Common File access summary report

See which paths generate the most audit noise before tuning rules.

Run the command:

bash
sudo aureport -f --summary 2>&1 | head -10

Sample output:

text
File Summary Report
===========================
total  file
===========================
6  /
4  (null)
2  /root/.cursor-server/data/logs/20260713T190410/remoteagent.log

High counts on unexpected paths suggest rules that are too broad — refine watches or exclude noisy directories.


auditd — when to use / when not

Use auditd when Use something else when
  • You need tamper-evident logging of privileged commands, file changes, or auth events
  • Compliance (PCI, STIG, CIS) requires audit trails beyond application logs
  • You investigate who changed /etc/passwd, sudoers, or SELinux policy
  • You correlate syscall-level denials with SELinux AVC events
  • You must prove execution of specific binaries or failed root attempts
  • You only need service stdout/stderr and systemd journal history → journalctl
  • You debug application bugs with stack traces — use app logging, not audit rules
  • You want network packet capture → tcpdump
  • Log volume would overwhelm disk — tune rules first; auditd is not a full packet or DEBUG logger
  • The audit daemon is intentionally disabled and policy forbids re-enabling — follow local security baseline

auditd vs journalctl

auditd / ausearch journalctl
Source Kernel audit subsystem systemd-journald
Strength Security events, syscalls, file watches, immutable trail Service logs, kernel console, boot sessions
Query tools ausearch, aureport journalctl filters
Typical use Compliance, forensics, privileged activity Operations, app debugging

Use both: journalctl for why a service failed; ausearch for who changed a protected file.


Tools in the same logging and hardening workflow.

Command One line
auditctl Audit rules and search (this page)
journalctl systemd journal queries
systemctl Manage the auditd unit
tcpdump Capture network traffic

Browse the full index in our Linux commands reference.


auditd — interview corner

What does auditd do on Linux?

auditd is the userspace daemon for the Linux Audit Framework. The kernel emits records for syscalls, path watches, authentication, and configuration changes; auditd writes them to /var/log/audit/audit.log.

Administrators define what to log with auditctl or files in /etc/audit/rules.d/, then search with ausearch or summarize with aureport.

A strong answer is:

"auditd collects kernel audit events into /var/log/audit/audit.log — I define policy with auditctl or rules.d, then search with ausearch for security and compliance investigations."

What is an audit key (-k) used for?

The key string tags matching events so you can find them quickly:

bash
sudo auditctl -w /etc/shadow -p wa -k shadow_watch
sudo ausearch -k shadow_watch --start today

Without keys, you rely on raw paths and syscall fields — harder during incidents.

A strong answer is:

"The -k key labels audit events — I use the same key in ausearch -k to pull every record from a watch or syscall rule."

What is the difference between auditctl and augenrules?

auditctl changes runtime rules immediately — lost on reboot unless saved.

augenrules reads /etc/audit/rules.d/*.rules, builds /etc/audit/audit.rules, and loads into the kernel — the persistent path on RHEL.

A strong answer is:

"auditctl is for live testing; augenrules merges rules.d into audit.rules and loads them — that's how rules survive reboot on RHEL."

How is auditd different from journald?

journald collects service output, kernel printk, and structured metadata for operations.

auditd records security-relevant kernel audit records — execve, file watches, login events — in a separate tamper-oriented log.

They complement each other; neither replaces the other for compliance-focused syscall auditing.

A strong answer is:

"journald is for operational service logs; auditd is the kernel audit trail for security events — file changes, privileged commands, and auth. I use both."

What happens if audit backlog fills up?

The kernel queues audit events in a buffer. If auditd falls behind or the buffer fills, the kernel may lose events or hold processes depending on /etc/audit/auditd.conf settings (max_log_file, space_left_action, disk_full_action).

Check status:

bash
sudo auditctl -s

Tune disk rotation and backlog settings before high-volume rules.

A strong answer is:

"If the audit backlog fills, events can be lost or processes can block — I monitor auditctl -s and size auditd.conf disk actions before deploying noisy rules."


Troubleshooting

Symptom Likely cause Fix
auditctl: command not found audit-rules package not installed (Rocky 10 split) sudo dnf install audit audit-rules
No rules after reboot Rules never in rules.d Add *.rules snippets; augenrules --load; enable auditd
Empty ausearch results Wrong time window or key typo Widen --start; verify key with auditctl -l
Log disk full High-volume rules Rotate (service auditd rotate); prune rules; raise disk actions in auditd.conf
auditd fails to start Syntax error in merged rules augenrules --check; test with auditctl -l after load
Too many events on one file Broad -w on busy paths Narrow paths; use keys; exclude temporary directories
Cannot delete watch rule Delete syntax differs from add Use auditctl -D in lab; in production reload from corrected rules.d

References

Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …