|
|
Several other auditrpt options can be used to control how records are displayed.
By default, audit records are displayed in the order in which events were recorded. The -b option of the auditrpt command allows the log file to be displayed "backwards." In other words, the most recent records are displayed first followed by the older records. This option is useful if you think that the event(s) of interest occurred recently.
The
-w
option of the
auditrpt
command allows you to display the contents of the log file as it is
being written.
Its functionality is similar to the -f option of the
tail(1)
command.
This will allow the administrator to monitor system activity as it occurs.
The
-w
option requires that auditing be enabled and that
the audit buffer high water mark be set to zero.
A high water mark of zero, will cause the auditing subsystem
to bypass the audit buffers and write directly to the log file.
Enter the following command to set the high water mark to zero:
auditlog -v 0
If the high water mark is not set to zero
auditrpt
will display the following warning message and continue processing:
data in audit buffer will not be immediately displayed
If a log file is specified with the
-w
option
the following warning message will be displayed and
auditrpt
will process the current log file.
log file filename ignored
Note that the -w option can not be used if the current log file is a special character device (for example, tape drive). In addition, the -b and the -w options cannot be specified on the same command line.