auditreduce [options] [audit-trail-file]...
The merge function merges together audit records from one or more input audit trail files into a single output file. The records in an audit trail file are assumed to be sorted in chronological order (oldest first) and this order is maintained by auditreduce in the output file.
Unless instructed otherwise, auditreduce will merge the entire audit trail, which consists of all the audit trail files in the directory structure audit_root_dir/*/files. Unless specified with the -R or -S option, audit_root_dir defaults to /etc/security/audit. By using the file selection options it is possible to select some subset of these files, or files from another directory, or files named explicitly on the command line.
The select function allows audit records to be selected on the basis of numerous criteria relating to the record's content (see audit.log(4) for details of record content). A record must meet all of the record-selection-option criteria to be selected.
where start-time is the 14-character timestamp of when the file was opened, end-time is the 14-character timestamp of when the file was closed, and suffix is the name of the machine which generated the audit trail file, or some other meaningful suffix (for example, all, if the file contains a combined group of records from many machines). The end-time can be the literal string not_terminated, to indicate that the file is still being written to by the audit system. Timestamps are of the form yyyymmddhhmmss (year, month, day, hour, minute, second). The timestamps are in Greenwich Mean Time (GMT).
Multiple arguments of the same type are not permitted.
When one or more filename arguments appear on the command line, only the named files are processed. Files specified in this way need not conform to the audit trail filename format. However, -M, -S, and -R must not be used when processing named files. If the filename is ``−'' then the input is taken from the standard input.
start-time . end-time . suffix
start-time is the 14 character time stamp denoting when the file was opened. end-time is the 14 character time stamp denoting when the file was closed. end-time can also be the literal string not_terminated, indicating the file is still be written to by the audit daemon or the file was not closed properly (a system crash or abrupt halt occurred). suffix is the name of the machine that generated the audit trail file (or some other meaningful suffix; for example, all would be a good suffix if the audit trail file contains a combined group of records from many machines).
yyyymmdd [ hh [ mm [ ss ]]]
where yyyy specifies a year (with 1970 as the earliest value), mm is the month (01-12), dd is the day (01-31), hh is the hour (00-23), mm is the minute (00-59), and ss is the second (00-59). The default is 00 for hh, mm and ss.
An offset can be specified as: +n d|h|m| s where n is a number of units, and the tags d, h, m, and s stand for days, hours, minutes and seconds, respectively. An offset is relative to the starting time. Thus, this form can only be used with the -b option.
praudit(1M) is available to display audit records in a human-readable form.
This will display the entire audit trail in a human-readable form:
% auditreduce | praudit
If all the audit trail files are being combined into one large file, then deleting the original files could be desirable to prevent the records from appearing twice:
% auditreduce -V -D /etc/security/audit/combined/all
This displays what user milner did on April 13, 1988. The output is displayed in a human-readable form to the standard output:
% auditreduce -d 19880413 -u milner | praudit
The above example might produce a large volume of data if milner has been busy. Perhaps looking at only login and logout times would be simpler. The -c option will select records from a specified class:
% auditreduce -d 19880413 -u milner -c lo | praudit
To see milner's login/logout activity for April 13, 14, and 15, the following is used. The results are saved to a file in the current working directory. Notice that the name of the output file will have milnerlo as the suffix, with the appropriate timestamp prefixes. Notice also that the long form of the name is used for the -c option:
% auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo
To follow milner's movement about the file system on April 13, 14, and 15 the chdir record types could be viewed. Notice that in order to get the same time range as the above example we needed to specify the -b time as the day after our range. This is because 19880416 defaults to midnight of that day, and records before that fall on 0415, the end-day of the range.
% auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit
In this example, the audit records are being collected in summary form (the login/logout records only). The records are being written to a summary file in a different directory than the normal audit root to prevent the selected records from existing twice in the audit root.
% auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins
If activity for user ID 9944 has been observed, but that user is not known to the system administrator, then the command in the following example searches the entire audit trail for any records generated by that user. auditreduce queries the system about the current validity of ID 9944 and displays a warning message if it is not currently active:
% auditreduce -O /etc/security/audit_suspect/user9944 -u 9944
To get an audit log of only the global zone:
% auditreduce -z global
|ATTRIBUTE TYPE||ATTRIBUTE VALUE|
|Interface Stability||See below.|
The command invocation is Stable. The binary file format is Stable. The binary file contents is Unstable.
Since auditreduce might be processing a large number of input files, it is possible that the machine-wide limit on open files will be exceeded. If this happens, auditreduce displays a message to that effect, give information on how many file there are, and exit.
If auditreduce displays a record's timestamp in a diagnostic message, that time is in local time. However, when filenames are displayed, their timestamps are in GMT.
|March 6, 2017||OmniOS|