Linux Event Logs and Its Record Types – Detect & Respond


The word “auditing” is used in most technologies in a variety of contexts. As a SOC analyst, I hear the term “log auditing” at least a dozen times throughout a work shift. Mostly it will be related to Linux audit logs. The Linux Audit system is a useful feature for tracking security-related information. By using Linux auditing, all the machine/server behaviour can be monitored. The file /var/log/audit/audit.log contains log entries from the Audit system. There are moments when I truly can’t tell which event log is what. Since Linux audit logs differ greatly from Windows audit logs, most of us will find it difficult to understand it. However, handling Linux audit logs is simple if we are familiar with every field. I already published a blog article about a Linux Audit Logs cheatsheet. I discussed how to analyse Linux audit logs in that blog post, along with a brief explanation of each field name. I’ll now go over how to determine the activity it was associated with.

Every Linux audit log will have a field named “Type” that can be used to quickly identify the type of the activity. The list that follows will help to identify the type of activity in the Linux audit log:


  • Every audit event type that ends in RESP is meant to be a response from an intrusion detection system if it finds malicious activity on the system.
  • This kind of event is associated with the Integrity Measurement Architecture (IMA), which operates most effectively when paired with a Trusted Platform Module (TPM) chip.
  • An intrusion detection application is meant to process all audit event kinds that are prepended with ANOM.
Event TypeExplanation
ACCT_LOCKTriggered when a user-space user account is locked by the administrator.
ACCT_UNLOCKTriggered when a user-space user account is unlocked by the administrator.
ADD_GROUPTriggered when a user-space group is added.
ADD_USERTriggered when a user-space user account is added.
ANOM_ABEND1Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
ANOM_ACCESS_FS1Triggered when a file or a directory access ends abnormally.
ANOM_ADD_ACCT1Triggered when a user-space account addition ends abnormally.
ANOM_AMTU_FAIL1Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.
ANOM_CRYPTO_FAIL1Triggered when a failure in the cryptographic system is detected.
ANOM_DEL_ACCT1Triggered when a user-space account deletion ends abnormally.
ANOM_EXEC1Triggered when an execution of a file ends abnormally.
ANOM_LINK1Triggered when suspicious use of file links is detected.
ANOM_LOGIN_ACCT1Triggered when an account login attempt ends abnormally.
ANOM_LOGIN_FAILURES1Triggered when the limit of failed login attempts is reached.
ANOM_LOGIN_LOCATION1Triggered when a login attempt is made from a forbidden location.
ANOM_LOGIN_SESSIONS1Triggered when a login attempt reaches the maximum amount of concurrent sessions.
ANOM_LOGIN_TIME1Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.
ANOM_MAX_DAC1Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.
ANOM_MAX_MAC1Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.
ANOM_MK_EXEC1Triggered when a file is made executable.
ANOM_MOD_ACCT1Triggered when a user-space account modification ends abnormally.
ANOM_PROMISCUOUS1Triggered when a device enables or disables promiscuous mode.
ANOM_RBAC_FAIL1Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.
ANOM_RBAC_INTEGRITY_FAIL1Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.
ANOM_ROOT_TRANS1Triggered when a user becomes root.
AVCTriggered to record an SELinux permission check.
AVC_PATHTriggered to record the dentry and vfsmount pair when an SELinux permission check occurs.
BPRM_FCAPSTriggered when a user executes a program with a file system capability.
CAPSETTriggered to record the capabilities being set for process-based capabilities, for example, running as root to drop capabilities.
CHGRP_IDTriggered when a user-space group ID is changed.
CHUSER_IDTriggered when a user-space user ID is changed.
CONFIG_CHANGETriggered when the Audit system configuration is modified.
CRED_ACQTriggered when a user acquires user-space credentials.
CRED_DISPTriggered when a user disposes of user-space credentials.
CRED_REFRTriggered when a user refreshes their user-space credentials.
CRYPTO_FAILURE_USERTriggered when a decrypt, encrypt, or randomize cryptographic operation fails.
CRYPTO_IKE_SATriggered when an Internet Key Exchange Security Association is established.
CRYPTO_IPSEC_SATriggered when an Internet Protocol Security Association is established.
CRYPTO_KEY_USERTriggered to record the cryptographic key identifier used for cryptographic purposes.
CRYPTO_LOGINTriggered when a cryptographic officer login attempt is detected.
CRYPTO_LOGOUTTriggered when a cryptographic officer logout attempt is detected.
CRYPTO_PARAM_CHANGE_USERTriggered when a change in a cryptographic parameter is detected.
CRYPTO_REPLAY_USERTriggered when a replay attack is detected.
CRYPTO_SESSIONTriggered to record parameters set during a TLS session establishment.
CRYPTO_TEST_USERTriggered to record cryptographic test results as required by the FIPS-140 standard.
CWDTriggered to record the current working directory.
DAC_CHECKTriggered to record DAC check results.
DAEMON_ABORTTriggered when a daemon is stopped due to an error.
DAEMON_ACCEPTTriggered when the auditd daemon accepts a remote connection.
DAEMON_CLOSETriggered when the auditd daemon closes a remote connection.
DAEMON_CONFIGTriggered when a daemon configuration change is detected.
DAEMON_ENDTriggered when a daemon is successfully stopped.
DAEMON_ERRTriggered when an auditd daemon internal error is detected.
DAEMON_RESUMETriggered when the auditd daemon resumes logging.
DAEMON_ROTATETriggered when the auditd daemon rotates the Audit log files.
DAEMON_STARTTriggered when the auditd daemon is started.
DEL_GROUPTriggered when a user-space group is deleted
DEL_USERTriggered when a user-space user is deleted
DEV_ALLOCTriggered when a device is allocated.
DEV_DEALLOCTriggered when a device is deallocated.
EOETriggered to record the end of a multi-record event.
EXECVETriggered to record arguments of the execve(2) system call.
FANOTIFYTriggered when an fanotify access decision is made.
FD_PAIRTriggered to record the use of the pipe and socketpair system calls.
FEATURE_CHANGETriggered when an Audit feature changed value.
FS_RELABELTriggered when a file system relabel operation is detected.
GRP_AUTHTriggered when a group password is used to authenticate against a user-space group.
GRP_CHAUTHTOKTriggered when a group account password or PIN is modified.
GRP_MGMTTriggered to record user-space group account attribute modification.
INTEGRITY_DATA2Triggered to record a data integrity verification event run by the kernel.
INTEGRITY_EVM_XATTR2Triggered when an EVM-covered extended attribute is modified.
INTEGRITY_HASH2Triggered to record a hash type integrity verification event run by the kernel.
INTEGRITY_METADATA2Triggered to record a metadata integrity verification event run by the kernel.
INTEGRITY_PCR2Triggered to record Platform Configuration Register (PCR) invalidation messages.
INTEGRITY_RULE2Triggered to record a policy rule.
INTEGRITY_STATUS2Triggered to record the status of integrity verification.
IPCTriggered to record information about a Inter-Process Communication object referenced by a system call.
IPC_SET_PERMTriggered to record information about new values set by an IPC_SET control operation on an IPC object.
KERN_MODULETriggered to record a kernel module name on load or unload.
KERNELTriggered to record the initialization of the Audit system.
KERNEL_OTHERTriggered to record information from third-party kernel modules.
LABEL_LEVEL_CHANGETriggered when an object’s level label is modified.
LABEL_OVERRIDETriggered when an administrator overrides an object’s level label.
LOGINTriggered to record relevant login information when a user log in to access the system.
MAC_CALIPSO_ADDTriggered when a NetLabel CALIPSO DOI entry is added.
MAC_CALIPSO_DELTriggered when a NetLabel CALIPSO DOI entry is deleted.
MAC_CHECKTriggered when a user space MAC (Mandatory Access Control) decision is made.
MAC_CIPSOV4_ADDTriggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CIPSOV4_DELTriggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CONFIG_CHANGETriggered when an SELinux Boolean value is changed.
MAC_IPSEC_EVENTTriggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.
MAC_MAP_ADDTriggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_MAP_DELTriggered when an existing LSM domain mapping is deleted. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_POLICY_LOADTriggered when a SELinux policy file is loaded.
MAC_STATUSTriggered when the SELinux mode (enforcing, permissive, off) is changed.
MAC_UNLBL_ALLOWTriggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCADDTriggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCDELTriggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.
MMAPTriggered to record a file descriptor and flags of the mmap(2) system call.
MQ_GETSETATTRTriggered to record the mq_getattr(3) and mq_setattr(3) message queue attributes.
MQ_NOTIFYTriggered to record arguments of the mq_notify(3) system call.
MQ_OPENTriggered to record arguments of the mq_open(3) system call.
MQ_SENDRECVTriggered to record arguments of the mq_send(3) and mq_receive(3) system calls.
NETFILTER_CFGTriggered when Netfilter chain modifications are detected.
NETFILTER_PKTTriggered to record packets traversing Netfilter chains.
OBJ_PIDTriggered to record information about a process to which a signal is sent.
PATHTriggered to record file name path information.
PROCTITLEGives the full command-line that triggered this Audit event, triggered by a system call to the kernel.
RESP_ACCT_LOCK3Triggered when a user account is locked.
RESP_ACCT_LOCK_TIMED3Triggered when a user account is locked for a specified period of time.
RESP_ACCT_REMOTE3Triggered when a user account is locked from a remote session.
RESP_ACCT_UNLOCK_TIMED3Triggered when a user account is unlocked after a configured period of time.
RESP_ALERT3Triggered when an alert email is sent.
RESP_ANOMALY3Triggered when an anomaly was not acted upon.
RESP_EXEC3Triggered when an intrusion detection program responds to a threat originating from the execution of a program.
RESP_HALT3Triggered when the system is shut down.
RESP_KILL_PROC3Triggered when a process is terminated.
RESP_SEBOOL3Triggered when an SELinux Boolean value is set.
RESP_SINGLE3Triggered when the system is put into single-user mode.
RESP_TERM_ACCESS3Triggered when a session is terminated.
RESP_TERM_LOCK3Triggered when a terminal is locked.
ROLE_ASSIGNTriggered when an administrator assigns a user to an SELinux role.
ROLE_MODIFYTriggered when an administrator modifies an SELinux role.
ROLE_REMOVETriggered when an administrator removes a user from an SELinux role.
SECCOMPTriggered when a SECure COMPuting event is detected.
SELINUX_ERRTriggered when an internal SELinux error is detected.
SERVICE_STARTTriggered when a service is started.
SERVICE_STOPTriggered when a service is stopped.
SOCKADDRTriggered to record a socket address.
SOCKETCALLTriggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).
SOFTWARE_UPDATETriggered to record software update events.
SYSCALLTriggered to record a system call to the kernel.
SYSTEM_BOOTTriggered when the system is booted up.
SYSTEM_RUNLEVELTriggered when the system’s run level is changed.
SYSTEM_SHUTDOWNTriggered when the system is shut down.
TESTTriggered to record the success value of a test message.
TIME_ADJNTPVALTriggered when the system clock is modified.
TIME_INJOFFSETTriggered when a Timekeeping offset is injected to the sytem clock.
TRUSTED_APPThe record of this type can be used by third party application that require auditing.
TTYTriggered when TTY input was sent to an administrative process.
USER_ACCTTriggered when a user-space user authorization attempt is detected.
USER_AUTHTriggered when a user-space user authentication attempt is detected.
USER_AVCTriggered when a user-space AVC message is generated.
USER_CHAUTHTOKTriggered when a user account password or PIN is modified.
USER_CMDTriggered when a user-space shell command is executed.
USER_DEVICETriggered when a user-space hotplug device is changed.
USER_ENDTriggered when a user-space session is terminated.
USER_ERRTriggered when a user account state error is detected.
USER_LABELED_EXPORTTriggered when an object is exported with an SELinux label.
USER_LOGINTriggered when a user logs in.
USER_LOGOUTTriggered when a user logs out.
USER_MAC_POLICY_LOADTriggered when a user-space daemon loads an SELinux policy.
USER_MGMTTriggered to record user-space user account attribute modification.
USER_ROLE_CHANGETriggered when a user’s SELinux role is changed.
USER_SELINUX_ERRTriggered when a user-space SELinux error is detected.
USER_STARTTriggered when a user-space session is started.
USER_TTYTriggered when an explanatory message about TTY input to an administrative process is sent from user-space.
USER_UNLABELED_EXPORTTriggered when an object is exported without SELinux label.
USYS_CONFIGTriggered when a user-space system configuration change is detected.
VIRT_CONTROLTriggered when a virtual machine is started, paused, or stopped.
VIRT_MACHINE_IDTriggered to record the binding of a label to a virtual machine.
VIRT_RESOURCETriggered to record resource assignment of a virtual machine.


Let’s see few scenarios with the above types:

Case 1:

Raw log:

Time= 4/28/24 16:41:07:000 PM node= anulinux type=ACCT_LOCK msg=audit(65432.657.987): pid=2341 uid=0 auid=3424567 ses=753456326 subj=system_u:system_r:passwd_t:s0 msg=`op=locked-password id=2000 exe=\”/usr/bin/passwd\” hostname=anulinux addr=? terminal=? res=success UID=\”root\” AUID=”anu”


ACCT_LOCK = Triggered when a user-space user account is locked by the administrator.

  • In the above log, the event type observed as “ACCT_LOCK”, which states as the account “anu” is locked.
  • The message observed as “locked-password”, which states as the account is locked due to password. The account might be locked for using incorrect/expired password while trying to login the linux account.

Case 2:

Raw log:

Time= 4/28/24 16:50:07:000 PM node= anulinux type=USER_CHAUTHTOK msg=audit(4353566765.645.7545): pid=1806 uid=0 auid=3424567 ses=7648 msg=`op=updating-password id=2001 exe=\”/usr/sbin/usermod\” hostname=anulinux addr=? terminal=? res=success UID=\”root\” AUID=”anu”


USER_CHAUTHTOK = Triggered when a user account password or PIN is modified.

  • In the above log, the event type observed as “USER_CHAUTHTOK”, which states as the password/pin reset was done for the account “anu”. The message observed as “updating-password” and the result observed as “success”. So from the above log, could confirm that the password was updated for the account “anu”.

Case 3:

Raw log:

Time= 4/28/24 17:00:34:000 PM node= anulinux type= NETFILTER_CFG  msg=audit(4353566765.645.7545): table=filter:54234 familiy=4 entries=3 op=nft_register_rule pid=1807 comm=\”iptables”\


NETFILTER_CFG = Triggered when Netfilter chain modifications are detected.

  • What is Netfilter? It is a packet filter and firewall implemented in the standard Linux kernel. The user space iptables tool is used for configuration and it is just a command-line tool used to add or remove netfilter rules. It supports packet filtering (stateless or stateful), many kinds of network address and port translation (NAT/NAPT), and multiple API layers for third-party extensions.  
  • In the above log, the event type observed as “NETFILTER_CFG ”, which states that configuration changes was done on the firewall level for the host “anulinux”.

Case 4:

USER_AUTH = fail username= anu ipaddress =


  • When you see “USER_AUTH = fail” in the audit log, it means that someone attempted to authenticate (such as logging in) to the system, but the attempt was unsuccessful. Most of the times happens when SSH and SFTP brute force attempts to login to your server.
  • Using the USER_AUTH will help analyst to see attacker brute force attempts are success or failure.


With the above event types, it’s easy to identify the linux audit log events and to understand the scenario.


Previous articleWhat is Solana? The Comeback of Solana in 2024
Next articleThe Role of Managed IT Support in Cybersecurity Regulatory Compliance 
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here