DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Displaying audit trail information

Displaying information about a time interval

Two different options control how information is displayed about time intervals:


-s
displays all events that started on or after the time listed with the option.

-h
displays all events whose start times are earlier than or equal to the time listed with the option.
You specify the time in the same format used by the date(1) command. The time format is [mmdd]HHMM or mmddHHMM[[cc] yy], where mm is the month number, dd is the day number in the month, HH is the hour number (24 hour system), MM is the minute number, cc is the century minus one, and yy is the last two digits of the year number.

For example, the following command reports on all events that started on or after 8:35a.m. on February 17 of the current year.

auditrpt -s 02170835

By specifying a starting time with -s and an ending time with -h, you can report on events that occurred in that span of time. For example, assume that want to know about all password changes that occurred between 1 a.m. and 8 a.m. on February 4, you would enter the following command:

auditrpt -e passwd -s 02040100 -h 02040800

If you do not use the -o option, the end time specified by the -h option must be later than the start time specified by -s. If not, auditrpt displays the following error message and terminates processing:

start time must be earlier than the end time

If you use the -o option, you can specify a start time later than the end time. This allows you to report on all events in the log file except those occurring during a specified time period. For example, assume that you want to know about all password changes except those that occurred between noon and 5 p.m. on February 3. To report this information, you would type the following command:

auditrpt -o -e passwd -s 02031700 -h 02031200


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004