|
|
When two or more criteria selection options are specified on the same command line, auditrpt reports only those events that meet all the criteria listed by the options. In other words, it displays the intersection of the criteria.
In the following example, auditrpt displays only those records that have both boris in the user field (as either the real or effective user) and /etc/passwd in the object_id field.
#auditrpt -u boris -f /etc/passwd
Command Line Entered: auditrpt -u boris -f /etc/passwdDATE: 0518, LOG NUMBER: 001, AUDIT VERSION: 4.0
MACHINE ID: UNIX_SV sfadf 4.2MP 2.0 i386
14:32:00:18:05:93,open_rd,P4556,f(13),boris:boris,irs:staff:proj43,S328, ,(/etc/passwd:f::0x440000:17:2:148:0x440000)
When you use the -o option, auditrpt displays audit records that match any of the criteria given by the options on the command line. That is, the -o option provides the "logical or" of all the other specified options. In the following command, for example, the -o option causes auditrpt to display all records that have boris in the user field or /etc/passwd in the object field. Notice that this command displays more information than the earlier one.
#If there are no audit records to match a selection criteria the following warning message is displayed:auditrpt -o -u boris -f /etc/passwd
Command Line Entered: auditrpt -o -u boris -f /etc/passwdDATE: 0518, LOG NUMBER: 001, AUDIT VERSION: 4.0
MACHINE ID: UNIX_SV sfadf 4.2MP 2.0 i386
14:32:00:18:05:93,open_rd,P4556,f(13),boris:boris,irs:staff:proj43,S328, ,(/etc/shadow:f::0x440000:148:0x440000) 14:32:00:18:05:93,open_rd,P4565,f(13),boris:boris,irs:staff:proj43,S328, ,(/etc/inittab:f::0x440000:184:0x440000) 14:32:00:18:05:93,open_rd,P5456,f(13),rocky:rocky,irs:staff:proj43,S337, ,(/etc/passwd:f::0x440000:148:0x440000)
no match found in event log file(s)If at least one audit record matches a selection criteria, the command will be silent about the portion of the selection criteria that did not result in a match.
To display audit information from a log file other then the current one, specify the log file(s) as a command line argument. It is not necessary for auditing to be enabled to process previous log files. If both valid and invalid log files are specified, the valid log file(s) will be processed and the following warning message will be displayed for the invalid logs:
event log file log does not exist