auditfltr(1M)

auditfltr -- convert audit log file for inter-machine portability

Synopsis

auditfltr [[-iN] [-oX]] | [-iX -oN]

Description

The auditfltr command is used to convert audit log files from native machine format into XDR (External Data Representation) format and vice versa. These conversions allow you to transport audit log files from one machine to another for processing with auditrpt. You do not need to use auditfltr in all such instances. If the two machines are the same architecture and are running the same version of auditing, you may simply copy the log files from the source machine to the destination machine. If the two machines are of different architecture, or if they are not running the same version of auditing, you must use auditfltr as part of the copying procedure.

The following options are available:

-itype: Specifies the type of the input file. The input file is always standard in. Only one log file at a time can be processed.
-otype: Specifies the type of the output file. The output file is always standard out. The output file should be redirected, for example to a file or pipe, due to its data format.

The values for type may be N, for native machine format, or X, for XDR format. If an invalid conversion type or combination of conversion types is requested an error message is displayed (see ``Diagnostics''). If no options are specified it is assumed the input file is in native machine format and the output file is in XDR format. If the format of the input file does not match the type specified by the -i option or the assumed format an error message is displayed (see ``Diagnostics'').

The procedure for transferring an audit log file from one machine to another has basically three steps. First, the audit log is converted from native machine format to the portable XDR format, using a command like the following:

   cat /var/audit/1125103 | auditfltr -iN -oX > /var/tmp/1125103.xfer

Second, the file is transferred to another machine. This can be done by transferring the file to magnetic media on one with cpio or tcpio and then restoring it on the other. Third, the file is converted back to machine format. If we assume, to avoid confusion with the destination machine's own audit log files, that we have created a subdirectory import under /var/audit, we might convert the file with a command like the following:

cat /var/tmp/1125103.xfer | auditfltr -iX -oN > /var/audit/import/1125103

Audit log files are identified by their version number. Conversion of log files of a particular version generally requires the presence of a specific auditfltr executable for that version. The version number is automatically identified by auditfltr, and the proper version-specific auditfltr is automatically called. If the required version-specific auditfltr is not present or is not executable, an error
message is displayed (see ``Diagnostics''). See auditrpt(1M) for more about version numbers.

Files

/var/audit/MMDD###

Diagnostics

Upon successful completion, the auditfltr command exits with a value of zero (0). If there are errors, it exits with one of the following values and prints the corresponding error message:

1: usage: auditfltr [[-iN] [-oX]] | [-iX -oN]
Invalid command syntax.
1: conversion type type is not supported
usage: auditfltr [[-iN] [-oX]] | [-iX -oN]
The valid conversion types are X, for External Data Representation or N, for native machine format.
1: invalid combination of conversion types
usage: auditfltr [[-iN] [-oX]] | [-iX -oN]
5: error manipulating file
File manipulation error occurred during a write or read operation.
5: could not obtain version number
Reading the version number from the input file failed.
5: unknown audit version number
The version number of the input log file is invalid. Valid version numbers are: 1.0, 2.0, 3.0, 4.0.
13: bad log record type
Invalid record type encountered in the audit log file.
24: unable to allocate space
32: input file is in invalid format
The format of the audit log used as input does not match the format specified by the -i option of the command.
33: Version specific auditfltr not found: version
33: Version specific auditfltr not executable: version
39: XDR encryption of an audit record field failed
39: XDR decryption of an audit record field failed

References

auditmap(1M), auditrpt(1M)

Notices

The auditfltr command accepts only audit log files as input. Note that each log file must be processed separately. Audit files cannot be concatenated together and the resulting data stream presented to auditfltr; this may yield incorrect results or errors.