Keeping your servers secure and compliant is a top priority. One powerful tool available on Linux systems is auditctl, a command-line utility that manages the Linux Audit system. This article walks you through what auditctl is, why it’s useful, and how to use it.

What is auditctl?

auditctl is part of the Linux Auditing System. It lets you:

Track changes to files and directories.
Monitor system calls like open, execve, or chmod.
Log user actions and access to sensitive files.
Stay compliant with security standards like PCI-DSS or HIPAA.

If you’re hosting sensitive data on your Liquid Web server, auditctl helps keep an eye on critical activities and detect potential intrusions.

How auditctl works

auditctl works by setting up rules that tell the system what events to track. These rules are stored in the kernel’s audit subsystem and operate in real time.

Common audit rule types

File Watch Rules: Monitor specific files or directories.
Syscall Rules: Track specific system calls.
User Rules: Audit actions by specific users or groups.

Example:

auditctl -w /etc/passwd -p wa -k passwd_changes

This watches /etc/passwd for writes (w) and attribute changes (a), and tags them with the key passwd_changes.

Getting started

1. Check if audit is installed

auditctl -s

If you see audit status and rules listed, you’re good to go!

2. Add a simple rule

To monitor changes to a key config file:

auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config

3. View audit logs

All logs are stored in:

/var/log/audit/audit.log

Use ausearch to search by key:

ausearch -k ssh_config

4. Finding results

When auditctl logs a change to a file being watched, it records that change to /var/log/audit/audit.log by default. That log typically contains a large amount of various additional auditing information, but the filter key can easily be utilized to grep through the log for relevant entries. Or, ausearch can be used, and that will output the relevant records:

# ausearch -f /root/testfile
----
time->Thu Mar 10 05:01:05 2016
type=CONFIG_CHANGE msg=audit(1457604065.439:244275): auid=0 ses=40017 op="updated rules" path="/root/testfile" key="testfile-file" list=4 res=1

The above example uses the -f flag, which searches the log based on filename, but the -k flag can also be used, which searches based on filter key, as set by the -k flag when adding the rule using auditctl. The -k flag tends to find additional entries, and can even indicate what application was used to modify the file in question:

# ausearch -k testfile-file

type=SYSCALL msg=audit(1457613278.190:245507): arch=c000003e syscall=188 success=yes exit=0 a0=15ec3b0 a1=3381405db7 a2=17f2420 a3=1c items=1 ppid=6100 pid=25926 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=40017 comm="vim" exe="/usr/bin/vim" key="testfile-file"

Various other flags can be passed to ausearch, in order to find results which occur at a specific time, process or user or group ID, and so on. A full listing of flags can be found in the man pages for ausearch. Here are example entries for an FTP change and a cPanel File manager change:

FTP:

# ausearch -k testftpfile-file

type=SYSCALL msg=audit(1457615043.085:245806): arch=c000003e syscall=2 success=yes exit=5 a0=7fe898065370 a1=241 a2=81a4 a3=65742f6c6d74685f items=2 ppid=27572 pid=27575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=40539 comm="sftp-server" exe="/usr/libexec/openssh/sftp-server" key="testftpfile-file"

cPanel File Manager:

# ausearch -k testcpanelfile-file

type=CWD msg=audit(1457615311.582:245846):  cwd="/usr/local/cpanel/base"
type=SYSCALL msg=audit(1457615311.582:245846): arch=c000003e syscall=82 success=yes exit=0 a0=5fa2f10 a1=5fa1dc0 a2=3b a3=7ffc391644c0 items=5 ppid=27931 pid=27987 auid=0 uid=513 gid=514 euid=513 suid=513 fsuid=513 egid=514 sgid=514 fsgid=514 tty=(none) ses=38028 comm="/usr/local/cpan" exe="/usr/local/cpanel/cpanel" key="testcpanelfile-file"

Making rules persistent

By default, auditctl rules disappear on reboot. To make them stick:

Add them to /etc/audit/rules.d/audit.rules
Restart the audit daemon:

systemctl restart auditd

AI-Friendly tip

If you’re using automation or AI-driven monitoring, tagging rules with unique keys (like -k login_activity) makes it easier to filter and analyze logs later.

🧰 Helpful commands

Command	Description
auditctl -l	List current rules
auditctl -d <rule>	Delete a rule
auditctl -D	Delete all rules
auditctl -w <file>	Watch a file
auditctl -a always,exit -S <syscall>	Monitor a syscall

Generating reports

Raw audit logs are stored at /var/log/audit . These log files can sometimes be difficult or time consuming to parse. Thankfully, there is a utility to help with this, aureport. For more information about aureport, see the manual at Aureport Man Page.

Create a rough summary report

If you are interested in the current audit statistics (events, logins, processes, etc.), run aureport without any options.

aureport

Summary Report
======================
Range of time in logs: 01/25/2017 05:55:01.700 - 01/31/2017 08:49:01.675
Selected time for report: 01/25/2017 05:55:01 - 01/31/2017 08:49:01.675
Number of changes in configuration: 1459
Number of changes to accounts, groups, or roles: 24
Number of logins: 5
Number of failed logins: 2504
Number of authentications: 13
Number of failed authentications: 15161
Number of users: 5
Number of terminals: 11
Number of host names: 2037
Number of executables: 10
Number of commands: 7
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 6
Number of responses to anomaly events: 0
Number of crypto events: 29403
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 12370
Number of events: 106326

Generate a summary report from specified file

You can use the “-if” flags to generate a report from audit logs in a specified file.

aureport -if /root/audit-backup.log

Generate a summary report for specific time

The below example is using the “-l” flag to only log for login events along with using “-ts” to set the start time of the search and “-te” to set the ending time.

aureport -l -ts 14:00 -te 15:00

Login Report
============================================
# date time auid host term exe success event
============================================
1. 17/02/09 14:21:09 root: 192.168.2.100 sshd /usr/sbin/sshd no 7718
2. 17/02/09 14:21:15 0 jupiter /dev/pts/3 /usr/sbin/sshd yes 7724

Create a summary report of failed events

If you want to break down the overall statistics of plain aureport to the statistics of failed events, use aureport “–failed”:

aureport --failed

Failed Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:57:35.183
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:57:35.183
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 13
Number of authentications: 0
Number of failed authentications: 574
Number of users: 1
Number of terminals: 5
Number of host names: 4
Number of executables: 11
Number of files: 77
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 708
Number of events: 1583

Create a summary report of successful events

If you want to break down the overall statistics of a plain aureport to the statistics of successful events, use aureport “–success”:

aureport --success

Success Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 15:00:01.535
Selected time for report: 03/02/09 14:13:38 - 17/02/09 15:00:01.535
Number of changes in configuration: 13
Number of changes to accounts, groups, or roles: 0
Number of logins: 6
Number of failed logins: 0
Number of authentications: 7
Number of failed authentications: 0
Number of users: 1
Number of terminals: 7
Number of host names: 3
Number of executables: 16
Number of files: 215
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 558
Number of events: 3739

Create summary reports

In addition to the dedicated summary reports (main summary and failed and success summary), use the “–summary” option with most of the other options to create summary reports for a particular area of interest only. Not all reports support this option, however. This example creates a summary report for user login events:

aureport -u -i --summary

User Summary Report
===========================
total  auid
===========================
98975  root
41241  unset
640  mailman
13  jon
3  wilfred

Create a report of events

To get an overview of the events logged by audit, use the aureport “-e” command. This command generates a numbered list of all events including date, time, event number, event type, and audit ID.

aureport -e -ts 14:00 -te 14:21

Event Report
===================================
# date time event type auid success
===================================
1. 17/02/09 14:20:27 7462 DAEMON_START 0 yes
2. 17/02/09 14:20:27 7715 CONFIG_CHANGE 0 yes
3. 17/02/09 14:20:57 7716 USER_END 0 yes
4. 17/02/09 14:20:57 7717 CRED_DISP 0 yes
5. 17/02/09 14:21:09 7718 USER_LOGIN -1 no
6. 17/02/09 14:21:15 7719 USER_AUTH -1 yes
7. 17/02/09 14:21:15 7720 USER_ACCT -1 yes
8. 17/02/09 14:21:15 7721 CRED_ACQ -1 yes
9. 17/02/09 14:21:15 7722 LOGIN 0 yes
10. 17/02/09 14:21:15 7723 USER_START 0 yes
11. 17/02/09 14:21:15 7724 USER_LOGIN 0 yes
12. 17/02/09 14:21:15 7725 CRED_REFR 0 yes

Create a report from all process events

To analyze the log from a process’s point of view, use the aureport “-p” command. This command generates a numbered list of all process events including date, time, process ID, name of the executable, system call, audit ID, and event number.

aureport -p

Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 35
2. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 36
3. 13/02/09 15:38:34 32734 /usr/lib/gdm/gdm-session-worker 0 -1 37

Create a report from all system call events

To analyze the audit log from a system call’s point of view, use the aureport “-s” command. This command generates a numbered list of all system call events including date, time, number of the system call, process ID, name of the command that used this call, audit ID, and event number.

aureport -s

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 2 20343 cron -1 2279
2. 16/02/09 17:45:02 83 20350 mktemp 0 2284
3. 16/02/09 17:45:02 83 20351 mkdir 0 2285

Create a report from all executable events

To analyze the audit log from an executable’s point of view, use the aureport “-x” command. This command generates a numbered list of all executable events including date, time, name of the executable, the terminal it is run in, the host executing it, the audit ID, and event number.

aureport -x

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/05/2017 22:00:01 /usr/sbin/crond cron ? 0 2532584
2. 01/05/2017 22:00:01 /usr/sbin/crond cron ? 0 2532585
3. 01/05/2017 22:00:01 /usr/sbin/crond cron ? 0 2532586
4. 01/05/2017 22:00:01 /usr/sbin/crond cron ? 0 2532587
5. 01/05/2017 22:00:01 /usr/sbin/crond cron ? 0 2532588

Convert numeric entities to text

Some information, such as user IDs, are printed in numeric form. To convert these into a human-readable text format, use the “-i” flag.

aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 01/05/2017 22:00:01 /usr/sbin/crond cron ? root 2532584
2. 01/05/2017 22:00:01 /usr/sbin/crond cron ? root 2532585
3. 01/05/2017 22:00:01 /usr/sbin/crond cron ? root 2532586
4. 01/05/2017 22:00:01 /usr/sbin/crond cron ? root 2532587
5. 01/05/2017 22:00:01 /usr/sbin/crond cron ? root 2532588

Create a report about files

To generate a report from the audit log that focuses on file access, use the aureport “-f” command. This command generates a numbered list of all file-related events including date, time, name of the accessed file, number of the system call accessing it, success or failure of the command, the executable accessing the file, audit ID, and event number.

aureport -f

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16/02/09 17:45:01 /etc/shadow 2 yes /usr/sbin/cron -1 2279
2. 16/02/09 17:45:02 /tmp/ 83 yes /bin/mktemp 0 2284
3. 16/02/09 17:45:02 /var 83 no /bin/mkdir 0 2285

Create a report about users

To generate a report from the audit log that illustrates which users are running what executables on your system, use the aureport -u command. This command generates a numbered list of all user-related events including date, time, audit ID, terminal used, host, name of the executable, and an event ID.

aureport -u

User ID Report
====================================
# date time auid term host exe event
====================================
1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12
2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13
3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14

Create a report about logins

To create a report that focuses on login attempts to your machine, run the aureport -l command. This command generates a numbered list of all login-related events including date, time, audit ID, host and terminal used, name of the executable, success or failure of the attempt, and an event ID.

aureport -l -i

Login Report
============================================
# date time auid host term exe success event
============================================
1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809

Limit a report to a certain time frame

To analyze the logs for a particular time frame, such as only the working hours of Feb 16, 2009, first find out whether this data is contained in the current audit.log or whether the logs have been rotated in by running aureport -t:

aureport -t

Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636

The current audit.log contains all the desired data. Otherwise, use the “-if” option to point the aureport commands to the log file that contains the needed data.

Then, specify the start date and time and the end date and time of the desired time frame and combine it with the report option needed. This example focuses on login attempts:

aureport -ts 02/16/09 8:00 -te 02/16/09 18:00 -l

Login Report
============================================
# date time auid host term exe success event
============================================
1. 16/02/09 12:39:05 root: 192.168.2.100 sshd /usr/sbin/sshd no 2108
2. 16/02/09 12:39:12 0 192.168.2.100 /dev/pts/1 /usr/sbin/sshd yes 2114
3. 16/02/09 13:09:28 root: 192.168.2.100 sshd /usr/sbin/sshd no 2131
4. 16/02/09 13:09:32 root: 192.168.2.100 sshd /usr/sbin/sshd no 2133
5. 16/02/09 13:09:37 0 192.168.2.100 /dev/pts/2 /usr/sbin/sshd yes 2139

The start date and time are specified with the “-ts” option. Any event that has a time stamp equal to or after your given start time appears in the report. If you omit the date, aureport assumes that you meant today. If you omit the time, it assumes that the start time should be midnight of the date specified.

Specify the end date and time with the “-te” option. Any event that has a time stamp equal to or before your given event time appears in the report. If you omit the date, aureport assumes that you meant today. If you omit the time, it assumes that the end time should be now. Use the same format for the date and time as for -ts.