====== Ubuntu - Auditing - View audit reports ======
**aureport** is a tool that produces summary reports of the audit system log.
Without any parameters, **aureport** will generate a summary report of audit activity.
sudo aureport
result:
Summary Report
======================
Range of time in logs: 16/07/16 01:32:46.053 - 16/07/16 10:34:01.482
Selected time for report: 16/07/16 01:32:46 - 16/07/16 10:34:01.482
Number of changes in configuration: 2
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 4
Number of terminals: 14
Number of host names: 6
Number of executables: 107
Number of commands: 155
Number of files: 186
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 33
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 8
Number of process IDs: 29325
Number of events: 31471
This shows some important information.
For example, it shows that there was a failed authentication.
----
Using **aureport**, we can drill down to that information.
We can use this command to look deeper on failed authentication:
sudo aureport -au
result:
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 16/07/16 07:21:50 anonymous ::ffff:198.20.70.114 ftp /usr/sbin/vsftpd no 3104248
2. 16/07/16 09:07:47 peter ? /dev/pts/0 /usr/bin/sudo yes 3106600
3. 16/07/16 10:33:53 peter ? /dev/pts/0 /usr/bin/sudo yes 3107479
Row 1 has a "**no**" near the end of the line, which indicates that authentication failed.
----
===== Check all events related to account modification =====
Use the **-m** parameter.
sudo areport -m
result:
=================================================
# date time auid addr term exe acct success event
=================================================