DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Displaying audit trail information

Combining reporting options

When two or more criteria selection options are specified on the same command line, auditrpt reports only those events that meet all the criteria listed by the options. In other words, it displays the intersection of the criteria.

In the following example, auditrpt displays only those records that have both boris in the user field (as either the real or effective user) and /etc/passwd in the object_id field. 

   # auditrpt -u boris -f /etc/passwd

   Command Line Entered: auditrpt -u boris -f /etc/passwd

   

   DATE: 0518, LOG NUMBER: 001, AUDIT VERSION: 4.0
   

   MACHINE ID: UNIX_SV sfadf 4.2MP 2.0 i386
   

   14:32:00:18:05:93,open_rd,P4556,f(13),boris:boris,irs:staff:proj43,S328,
   ,(/etc/passwd:f::0x440000:17:2:148:0x440000)

Using the -o option

When you use the -o option, auditrpt displays audit records that match any of the criteria given by the options on the command line. That is, the -o option provides the "logical or" of all the other specified options. In the following command, for example, the -o option causes auditrpt to display all records that have boris in the user field or /etc/passwd in the object field. Notice that this command displays more information than the earlier one. 

   # auditrpt -o -u boris -f /etc/passwd

   Command Line Entered: auditrpt -o -u boris -f /etc/passwd

   

   DATE: 0518, LOG NUMBER: 001, AUDIT VERSION: 4.0
   

   MACHINE ID: UNIX_SV sfadf 4.2MP 2.0 i386
   

   14:32:00:18:05:93,open_rd,P4556,f(13),boris:boris,irs:staff:proj43,S328,
   ,(/etc/shadow:f::0x440000:148:0x440000)
   14:32:00:18:05:93,open_rd,P4565,f(13),boris:boris,irs:staff:proj43,S328,
   ,(/etc/inittab:f::0x440000:184:0x440000)
   14:32:00:18:05:93,open_rd,P5456,f(13),rocky:rocky,irs:staff:proj43,S337,
   ,(/etc/passwd:f::0x440000:148:0x440000)
If there are no audit records to match a selection criteria the following warning message is displayed: 
   no match found in event log file(s)
If at least one audit record matches a selection criteria, the command will be silent about the portion of the selection criteria that did not result in a match.

To display audit information from a log file other then the current one, specify the log file(s) as a command line argument. It is not necessary for auditing to be enabled to process previous log files. If both valid and invalid log files are specified, the valid log file(s) will be processed and the following warning message will be displayed for the invalid logs: 

   event log file log does not exist
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004