Linux Audit Log: What's Really Happening on Your Server

Your system logs are full of noise. Cron jobs, service restarts, normal operations. But somewhere in the chaos, someone accessed a file they shouldn’t have. auditd doesn’t log noise — it logs what actually matters: who did what, when, and what the result was.

auditd is the Linux kernel audit framework. It’s powerful, detailed, and most sysadmins ignore it because it seems complicated. Here’s the thing: it’s not. And if you’re dealing with compliance, intrusion investigations, or just paranoia, it’s invaluable.

Install and Start auditd

On Ubuntu/Debian:

$ sudo apt install auditd
$ sudo systemctl start auditd
$ sudo systemctl enable auditd

On RHEL/CentOS:

$ sudo yum install audit
$ sudo systemctl start auditd
$ sudo systemctl enable auditd

Check status:

$ sudo auditctl -l

If you see rules (starting with -a or -w), auditd is running. If not, nothing’s being logged yet.

The Logs: /var/log/audit/audit.log

This is where everything goes. It’s binary-formatted but readable:

$ sudo tail /var/log/audit/audit.log

Sample output:

type=EXECVE msg=audit(1625001234.567:8910): argc=3 a0="/bin/bash" a1="-c" a2="echo hello"
type=CRED_DISP msg=audit(1625001234.568:8911): uid=1000 auid=1000

That’s hard to read. That’s where ausearch and aureport come in.

Search Audit Logs with ausearch

Find all commands run by a specific user:

$ sudo ausearch -m EXECVE -u alice --format text | tail -20

Output:

type=EXECVE msg=audit(1625001234.567:8910): argc=3 a0="/bin/bash" a1="-c" a2="cat /etc/shadow"

There’s alice running cat /etc/shadow. Got her.

Find all file access on a specific file:

$ sudo ausearch -k sensitive_files

(Assuming you’ve set up a watch on that file — more below.)

Find everything in the last hour:

$ sudo ausearch --start recent -m EXECVE --format text

Export JSON for analysis:

$ sudo ausearch -k logins --format json | jq '.' | head -50

Now you can pipe to grep, awk, or load into a SIEM.

Generate Reports with aureport

aureport summarizes the logs:

$ sudo aureport

Output:

Summary Report
======================
Total Events Processed       12543
Total Logs Size              2.3 MB
Events lost                  0
Disk Space Left              45 GB
SELinux Denials              3

Commands by user:

$ sudo aureport -u --summary

User ID  # Commands
1000     234
0        156
33       67

File access summary:

$ sudo aureport -f --summary

File           # Accesses
/etc/passwd    45
/etc/shadow    12
/home/alice/*  234

Login/logout events:

$ sudo aureport -l

Login Summary
======================
Total  :  156
Failed :  3
Users  :  5

Write Audit Rules

Rules define what auditd logs. There are three types:

1. Watch a File

$ sudo auditctl -w /etc/shadow -p wa -k shadow_changes

This says: watch /etc/shadow, log on write (w) and attribute changes (a), tag the log with key shadow_changes.

Now every time someone reads or modifies that file:

$ sudo cat /etc/shadow

It’s logged. Search it later:

$ sudo ausearch -k shadow_changes

2. Monitor System Calls

Log all calls to unlink() (file deletion):

$ sudo auditctl -a always,exit -F arch=b64 -S unlink -k file_deletion

Breakdown:

• -a always,exit — always log on exit
• -F arch=b64 — only on 64-bit (or use -F arch=b32 for 32-bit)
• -S unlink — the system call to watch
• -k file_deletion — label

Now every file deletion is logged.

3. Monitor Commands by User

Log all commands run by alice as root:

$ sudo auditctl -a always,exit -F uid=1000 -F egid=0 -S execve -k alice_sudo_commands

This logs whenever user 1000 (alice) runs anything with effective group 0 (root).

Persist Rules Across Reboots

Rules typed with auditctl are temporary. To make them permanent, edit /etc/audit/rules.d/audit.rules:

$ sudo nano /etc/audit/rules.d/audit.rules

Add rules:

# Watch for shadow file changes
-w /etc/shadow -p wa -k shadow_changes

# Watch for password file changes
-w /etc/passwd -p wa -k passwd_changes

# Log all file deletions
-a always,exit -F arch=b64 -S unlink -k file_deletion

# Log all failed login attempts
-a always,exit -F arch=b64 -S open -F dir=/var/log/auth.log -k login_attempts

Reload:

$ sudo systemctl restart auditd

Verify:

$ sudo auditctl -l

Real-World Example: Compliance Audit

You need to prove who accessed customer data. Set up:

$ sudo auditctl -w /home/app/data/customers.db -p r -k customer_data_access

Now whenever someone reads that database:

$ sudo ausearch -k customer_data_access --format text

You have:

• Timestamp
• User ID
• Process that accessed it
• Success or failure

Perfect for “prove your data is protected” audits.

Performance Impact

auditd can be heavy on I/O. Don’t watch every file. Be selective:

# Good: watch critical files
-w /etc/sudoers -p wa -k sudoers_changes
-w /root/.ssh -p ra -k root_ssh_access

# Bad: watching everything
-w / -p rwxa -k everything

On busy servers, start small. Watch sensitive areas: /etc/sudoers, /etc/shadow, /etc/passwd, system binaries in /usr/bin, logs.

The Quick Start

Today:

$ sudo apt install auditd
$ sudo systemctl start auditd

# Watch sudoers
$ sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes

# Watch password files
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes
$ sudo auditctl -w /etc/shadow -p wa -k shadow_changes

# Log all file deletions
$ sudo auditctl -a always,exit -F arch=b64 -S unlink -k file_deletion

# Save to /etc/audit/rules.d/audit.rules
$ sudo auditctl -l > /tmp/rules.txt

Copy those rules into /etc/audit/rules.d/audit.rules, restart auditd, and you’re protected. Next time someone asks “who touched this file?” you’ll have an answer.