Displaying information from the audit log
The
auditrpt
command allows the administrator
to display either the entire contents of a log file or selected portions of it.
In addition, audit information can be retrieved from
either the current log file or one or more previous
log files.
If no options or arguments are specified, the entire current
audit event log file will be displayed in the order in which events
were recorded.
Auditing must be enabled to view a current log file.
Selected portions of an audit event log file may be displayed based
on one or more of the following criteria:
-
event type (-e option)
-
user id (-u option)
-
object id (-f option)
-
object type (-t option)
-
security level (-l option) -
Normally this will return nothing, as security levels are not
supported in the current release. However,
if the system
that generated the audit log was running an earlier release that
supported Mandatory Access Control (MAC), this option may return
events.
-
security level range (-r option) -
Normally this will return nothing, as security levels are not
supported in the current release. However,
if the system
that generated the audit log was running an earlier release that
supported Mandatory Access Control (MAC), this option may return
events.
-
time interval (-s and/or -h options)
-
event status: failure or success (-a option)
-
privileges used (-p option)
-
miscellaneous event subtype (-v option)
-
LWP ID (-x option)
Additionally, the -i option may be used to specify that the log file is to be
taken from standard input.
To further assist the administrator, the
auditrpt
command has the ability to
-
display the audit records in reverse chronological order (-b option)
-
display audit records as they are being written to the audit event
log file (-w option)
-
specify a directory containing the audit map files (-m option)
© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999