Viewing Audit Logs#
$ tail -f /var/log/audit/audit.log
Listing Audit Rules#
$ auditctl -l
Adding Audit Rules#
Adding File System Rules#
$ auditctl -w /var/lib/pki/pki-tomcat/conf/server.xml -p wa
Adding System Call Rules#
$ auditctl -a always,exit -S all -F auid=pkiuser
Removing Audit Rules#
Removing File System Rules#
$ auditctl -W /var/lib/pki/pki-tomcat/conf/server.xml -p wa
Removing System Call Rules#
$ auditctl -d always,exit -S all -F auid=pkiuser
Searching Audit Logs#
$ ausearch --uid pkiuser
$ ausearch -k <keyword>
$ ausearch --interpret -k <keyword>