Displaying audit trail information

Displaying information from multiple logs

The auditrpt command will retrieve audit information from the current log file if auditing is enabled and no log files are specified on the command line. To retrieve audit information from one or more previous log files specify the log file names as command line arguments.

For example, to display all audit information for the user boris in the log files, /var/audit/0215001 and /var/audit/0216001, enter the following command:

auditrpt -u boris /var/audit/0214001 /var/audit/0215001

It is not necessary for auditing to be enabled to process previous log files.

The auditing subsystem keeps sequence information in each log file. If you specify a series of log files, auditrpt will check this sequence information to ensure that all log files are in the correct order and that no log files in a sequence are missing. If there are any problems, auditrpt displays the following warning message and continues processing:

event log file(s) are not in sequence or missing

To minimize the size of the audit event log file, the auditing subsystem records process context information for new processes whenever the information changes, or when an audit log full SWITCH condition occurs. For example, a process can be audited for more than one event, so it would be redundant to repeat all the process information in all the audit records related to this process. The auditrpt command reconstructs the process information for each audit record that is displayed. If log files are not in sequence or are missing, auditrpt may not find all the necessary information and the following warning message is displayed:

credential information for Ppid is incomplete

Next topic: The audit map file
Previous topic: Processing miscellaneous records

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005