How to Select Audit Events From the Audit Trail

You can filter audit records for examination. For the complete list of filtering options, see the auditreduce(1M) man page.

1. Assume a role that includes the Audit Review profile, or become superuser.

   The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

2. Select the kinds of records that you want from the audit trail, or from a specified audit file.

   auditreduce -lowercase-option argument [optional-file]

   argument

   Specific argument that a lowercase option requires. For example, the -c option requires an argument of an audit class, such as ua.

   -d

   Selects all of the events on a particular date. The date format for argument is yyymmdd. Other date options, -b and -a, select events before and after a particular date.

   -u

   Selects all of the events attributable to a particular user. The argument is a user name. Another user option, -e, selects all of the events attributable to an effective user ID.

   -c

   Selects all of the events in a preselected audit class. The argument is an audit class name.

   -m

   Selects all of the instances of a particular audit event. The argument is an audit event.

   optional-file

   Is the name of an audit file.

Example 30–27 Combining and Reducing Audit Files

The auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.

# cd /var/audit/audit_summary.dir
# auditreduce -O lo.summary -b 20030827 -c lo; compress *lo.summary

Example 30–28 Copying na Audit Records to a Summary File

In this example, all the records of nonattributable audit events in the audit trail are collected into one file.

$ whoami
sysadmin
$ cd /var/audit/audit_summary.dir
$ auditreduce -c na -O nasumm
$ ls *nasumm
20030827183214.20030827215318.nasumm

The merged nasumm audit file is time stamped with the beginning and ending date of the na records.

Example 30–29 Finding Audit Events in a Specified Audit File

You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.

$ auditreduce -m 113 -O systemboot 20030827183214.20030827215318.nasumm
20030827183214.20030827183214.systemboot

The 20030827183214.20030827183214.systemboot file contains only system boot audit events.

Example 30–30 Copying One User's Audit Records to a Summary File

In this example, the records in the audit trail that contain the name of a particular user are merged. The -e option finds the effective user. The -u option finds the audit user.

$ cd /var/audit/audit_summary.dir
$ auditreduce -e tamiko -O tamiko

You can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2003, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.

# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo

Example 30–31 Copying Selected Records to a Single File

In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.

# auditreduce -c lo -d 20030827 -O /var/audit/audit_summary.dir/logins
# ls /var/audit/audit_summary.dir/*logins
/var/audit/audit_summary.dir/20030827183936.20030827232326.logins