Audit Log

The audit.log file is the default log file used by the Linux Audit system, where it records system events based on the rules defined by the system administrator. This file typically includes information such as timestamps, event types, success or failure status, and other relevant details for each event. It is usually located in the /var/log/audit/ directory. The audit.log file serves as a comprehensive audit trail, and it can be used for forensic investigations to understand actions that were performed on a system.¹

Here is an example log record.

type=SYSCALL msg=audit(1626369130.992:9876): arch=c000003e syscall=2 success=yes exit=3 a0=7ffeefbff4f0 a1=941 a2=1b6 a3=7ffeefbff4c0 items=2 ppid=2636 pid=2637 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=2 comm="touch" exe="/usr/bin/touch" key="file-create"

type=SYSCALL: This is a system call event. The Linux kernel has provided a mechanism for user space applications to request services from the kernel, which is known as a system call.
msg=audit(1626369130.992:9876): This is a unique identifier for the audit event. The timestamp is followed by the audit event ID.
arch=c000003e: This is the architecture from which the syscall originates. c000003e corresponds to x86_64.
syscall=2: This is the system call number. 2 corresponds to the open syscall on an x86_64 system.
success=yes: Indicates whether the system call was successful.
exit=3: The exit value of the system call.
a0=7ffeefbff4f0 a1=941 a2=1b6 a3=7ffeefbff4c0: These are the hexadecimal representations of the system call arguments.
items=2: The number of path records that are associated with this event.
ppid=2636 pid=2637: The process ID (pid) of the process making the system call, and the parent process ID (ppid).
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000: Various user and group identifiers. auid is the Audit User ID, uid and gid are the User ID and Group ID, euid and egid are the effective User ID and Group ID, suid and sgid are the Saved User ID and Group ID, fsuid and fsgid are the filesystem User ID and Group ID.
tty=pts0: The controlling terminal of the process.
ses=2: The session ID. This is a unique identifier that Linux uses to group processes. When a user logs into a system, a new session is started, and a unique session ID is assigned to that session. All the processes that start as a result of this login, such as from executing commands or starting applications, are associated with this session ID.
comm="touch": The command that was issued, in this case touch.
exe="/usr/bin/touch": The executable that was run to issue the command.
key="file-create": The key is an optional, searchable string that can be added to the audit log record for easier searching.

https://www.tenable.com/audits/items/CIS_Red_Hat_EL5_v2.2.1_L2.audit:f2b864d4b38503be899180c1d4962197

https://www.tecmint.com/query-audit-logs-using-ausearch-tool-on-centos-rhel/

Digital forensics & Intrusion Response Playbook - *nix OS

Audit Log