|
|
By default, the
auditrpt
command will access the audit map
files in the /var/audit/auditmap
directory.
The
-m
option of the
auditrpt
command allows the administrator to specify the directory which contains
the audit map files.
For example, you might be processing a log file from an earlier
release. In this case, you want the auditing subsystem to use the
map files from that system, also. If you had moved those files to the
directory
/etc/audit/auditmap
on this system, you would tell the auditing subsystem to use these
map files by entering
the following command:
auditrpt -m /etc/audit/auditmap . . .
We recommend that the audit map files be archived along with the audit event log files. This will allow for the accurate translation of the numeric data contained in the archived log files. In the scenario of processing archived log files, the -m option can be used to specify the directory that contains the archived map file.