Linux Audit Log Analysis: Detecting Security Events with auditd

The Linux Audit Framework (auditd) is a powerful system for tracking security-relevant events on Linux servers. It records file access, privilege escalation attempts, user authentication, and system call activity — providing the forensic trail needed for security investigations and compliance requirements. This guide covers practical auditd log analysis techniques for detecting threats and maintaining system integrity.

Understanding the Linux Audit Framework

The audit framework consists of several components: the kernel audit subsystem that generates events, the auditd daemon that writes logs, auditctl for runtime rule management, and analysis tools like ausearch and aureport. Audit logs are stored in /var/log/audit/audit.log by default.

Each audit event contains a timestamp, event type, user ID (uid), audit user ID (auid — the original login user), process information, and the result (success/failure). The auid field is especially important because it tracks the original user even through su/sudo transitions.

Essential ausearch Queries

The ausearch command is your primary tool for finding specific events:

# Failed login attempts
ausearch -m USER_LOGIN --success no

# Privilege escalation events
ausearch -m USER_CMD -ts today

# File access on sensitive files
ausearch -f /etc/shadow -ts recent

# Events by specific user
ausearch -ua 1000 -ts today

Generating Audit Reports with aureport

For summary analysis, aureport provides statistical breakdowns:

# Authentication report
aureport -au --summary

# Failed events summary
aureport --failed --summary

# File access report
aureport -f --summary

# User activity report
aureport -u --summary

Detecting Privilege Escalation

Privilege escalation is one of the most critical events to monitor. Set up audit rules to track sudo usage, su commands, and SUID binary execution:

# Watch sudo configuration
auditctl -w /etc/sudoers -p wa -k sudo_changes

# Watch passwd/shadow changes
auditctl -w /etc/passwd -p wa -k identity_changes
auditctl -w /etc/shadow -p wa -k identity_changes

# Watch for privilege escalation
auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -k privilege_escalation

Automating Audit Log Analysis

For automated analysis, our dargslan-audit-log tool parses audit logs and highlights security events:

pip install dargslan-audit-log
dargslan-auditlog report      # Full analysis report
dargslan-auditlog privesc     # Privilege escalation events
dargslan-auditlog failed      # Failed events listing
dargslan-auditlog json        # JSON for SIEM integration

Compliance and Best Practices

• Enable auditd on all production servers
• Monitor failed authentication attempts daily
• Track changes to critical system files (/etc/passwd, /etc/shadow, /etc/sudoers)
• Retain audit logs for at least 90 days (or per your compliance requirements)
• Forward logs to a central SIEM for correlation analysis
• Review aureport summaries weekly for anomaly detection

Download our free Linux Audit Log Analysis Cheat Sheet for essential ausearch and aureport commands. Explore our Security & Hardening eBooks for comprehensive Linux security training.