|
|
The auditrpt command will retrieve audit information from the current log file if auditing is enabled and no log files are specified on the command line. To retrieve audit information from one or more previous log files specify the log file names as command line arguments.
For example, to display all audit information for the user
boris
in the log files,
/var/audit/0215001
and
/var/audit/0216001,
enter the following command:
auditrpt -u boris /var/audit/0214001 /var/audit/0215001
It is not necessary for auditing to be enabled to process previous log files.
The auditing subsystem keeps sequence information in each log file.
If you specify a series of log files,
auditrpt
will check this sequence information to ensure
that all log files are in the correct order and that
no log files in a sequence are missing.
If there are any problems,
auditrpt
displays the following warning message and continues processing:
event log file(s) are not in sequence or missing
To minimize the size of the audit event log file,
the auditing subsystem records process context information
for new processes whenever the information changes, or
when an audit log full SWITCH condition occurs.
For example, a process can be audited for more than one event, so it
would be redundant to repeat all the process information in all the
audit records related to this process.
The
auditrpt
command reconstructs the process information for each audit record that
is displayed.
If log files are not in sequence or are missing,
auditrpt
may not find all the necessary information and the following warning
message is displayed:
credential information for Ppid is incomplete