praudit - print contents of an audit trail file
praudit [-r|-s] [-lx] [-ddel] [-g filename] [-p filename] [filename]...
praudit reads the listed filenames (or standard
input, if no filename is specified) and interprets the data as audit
trail records as defined in audit.log(5). By default, times, user and
group IDs (UIDs and GIDs, respectively) are converted
to their ASCII representation. Record type and event fields are
converted to their ASCII representation. A maximum of 100 audit files
can be specified on the command line.
The following options are supported:
-ddel
Use del as the field delimiter instead of the
default delimiter, which is the comma. If del has special meaning for
the shell, it must be quoted. The maximum size of a delimiter is three
characters. The delimiter is not meaningful and is not used when the -x
option is specified.
-l
Print one line per record.
-r
Print records in their raw form. Times, UIDs,
GIDs, record types, and events are displayed as integers. This option
is useful when naming services are offline. The -r option and the
-s option are exclusive. If both are used, a format usage error message
is output.
-s
Display records in their short form. Numeric fields'
ASCII equivalents are looked up by means of the sources specified in the
/etc/nsswitch.conf file (see
nsswitch.conf(5)). All numeric
fields are converted to ASCII and then displayed. The short
ASCII
representations for the record type and event fields are used. This option and
the
-r option are exclusive. If both are used, a format usage error
message is output.
-x
Print records in XML form. Tags are included in the
output to identify tokens and fields within tokens. Output begins with a valid
XML prolog, which includes identification of the DTD which can be used to
parse the XML.
-g filename
Read group entries from the specified file. GIDs
referenced in the audit files will be resolved to group names using this file.
GIDs not referenced in the specified file will be resolved by the host
system. This option is useful when aggregating logs from multiple systems onto
a single host for analysis, allowing GIDs to be resolved to the group
names appropriate to the source of the audit file. To do this, copy the
/etc/group file from the system from which the audit file originates
and use that as the argument to the -g flag.
-p filename
Read passwd entries from the specified file. UIDs
referenced in the audit files will be resolved to user names using this file.
UIDs not referenced in the specified file will be resolved by the host
system. This option is useful when aggregating logs from multiple systems onto
a single host for analysis, allowing UIDs to be resolved to the user
names appropriate to the source of the audit file. To do this, copy the
/etc/passwd file from the system from which the audit file originates
and use that as the argument to the -p flag.
/etc/security/audit_event
Audit event definition and class mappings.
/etc/security/audit_class
Audit class definitions.
/usr/share/lib/xml/dtd
Directory containing the versioned DTD file referenced in
XML output, for example, adt_record.dtd.1.
/usr/share/lib/xml/style
Directory containing the versioned XSL file referenced in
XML output, for example, adt_record.xsl.1.
See attributes(7) for descriptions of the following
attributes:
| ATTRIBUTE
TYPE |
ATTRIBUTE VALUE |
| Interface Stability |
See below |
The command stability is evolving. The output format is
unstable.
audit(2), getauditflags(3BSM), getpwuid(3C),
gethostbyaddr(3NSL), ethers(3SOCKET),
getipnodebyaddr(3SOCKET), audit.log(5), audit_class(5),
audit_event(5), group(5), nsswitch.conf(5),
passwd(5), attributes(7), getent(8)