drop auditd log files or ausearch exports · parse syscall events · file access audit · user login · privilege escalation · command execution · correlate multi-record events · reconstruct attack timeline · runs locally
auditd log
drop audit.log / ausearch / aureport
or click
drop audit.log · ausearch export · aureport csv