kernel audit-logs search
Search audit logs within a time window. Results are ordered newest first.
--limit controls the total number of CLI results. The CLI automatically requests API pages of up to 100 records until it reaches that limit or runs out of results.Include GET requests
GET requests are excluded by default to reduce noise:kernel audit-logs download
Download matching audit logs in a time window as one gzip-compressed JSONL file.
--start and --end are required. The start is inclusive and the end is exclusive, and the time window can cover up to 30 days.
Date-only values represent midnight UTC. For example,
--start 2026-06-01 --end 2026-07-01 covers all of June in UTC.
Download behavior
The command downloads up to 50,000 records at a time and appends each chunk to<output>.partial. Before writing a chunk, it verifies the SHA-256 checksum returned by the API.
A chunk is attempted up to seven times when a network error, HTTP 429, HTTP 5xx, truncated response, or checksum mismatch occurs. Retries use exponential backoff capped at eight seconds.
The CLI renames the temporary file to the requested output only after every chunk transfers successfully. If a transfer fails, it removes the incomplete temporary file. If the final rename fails, the completed download remains at <output>.partial. Downloads don’t resume across CLI runs; rerunning the command starts again from the beginning.
The command refuses to replace an existing output unless you pass --force.
Aliases
You can also usekernel audit-log, kernel auditlogs, or kernel auditlog.