Viewing the Audit Trail Setup
All audit records including audit records generated by the auditwrite(3TSOL) routine are logged to the audit trail in a series of binary files at ADMIN_HIGH. The location of the audit files is set in the /etc/security/audit_control file, and by default is /var/audit. The praudit(1M) command reads the audit trail files and interprets the binary data as human-readable audit records.
Assume a role with the tail(1) command and the praudit(1M) command with the proc_audit_appl and proc_audit_tcb privileges. Open a terminal at ADMIN_HIGH, change directory to where the audit records are stored, and execute the tail and praudit commands as shown to view the current audit file.
Note -
This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.
phoenix% cd /var/audit phoenix% tail -0f *not_terminated* | praudit |
The audit daemon logs audit records to the audit partition until they reach their maximum capacity and then starts a new file. The file currently written to is the not_terminated audit file. View the /etc/security/audit_data file to determine which file is current.
- © 2010, Oracle Corporation and/or its affiliates