System Administration Guide: Security Services

ProcedureHow to View the Contents of Binary Audit Files

The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The -x option is useful for further processing.

  1. Assume a role that includes the Audit Review profile, or become superuser.

    The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

  2. Use one of the following praudit commands to produce the output that is best for your purposes.

    The following examples show praudit output from the same audit event. Audit policy has been set to include the sequence and trailer tokens.

    • The praudit -s command displays audit records in a short format, one token per line. Use the -l option to place each record on one line.


      $ auditreduce -c lo | praudit -s
      header,101,2,AUE_rlogin,,example1,2003-10-13 11:23:31.050 -07:00
      subject,jdoe,jdoe,staff,jdoe,staff,749,749,195 1234 server1
      text,successful login 
      return,success,0 
      sequence,1298
    • The praudit -r command displays audit records in their raw format, one token per line. Use the -l option to place each record on one line.


      $ auditreduce -c lo | praudit -r
      21,101,2,6155,0x0000,192.168.60.83,1062021202,64408258
      36,2026700,2026700,10,2026700,10,749,749,195 1234 192.168.60.17
      40,successful login
      39,0,0
      47,1298
    • The praudit -x command displays audit records in XML format, one token per line. Use the -l option to place the XML output for one record on one line.


      $ auditreduce -c lo | praudit -x
      <record version="2" event="login - rlogin" host="example1" 
      time="Wed Aug 27 14:53:22 PDT 2003" msec="64">
      <subject audit-uid="jdoe" uid="jdoe" gid="staff" ruid="jdoe" 
      rgid="staff" pid="749" sid="749" tid="195 1234 server1"/>
      <text>successful login</text>
      <return errval="success" retval="0"/>
      <sequence seq-num="1298"/>
      
      </record>

Example 30–35 Printing the Entire Audit Trail

With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.


# auditreduce | praudit | lp -d example.protected.printer


Example 30–36 Viewing a Specific Audit File

In this example, a summary login file is examined in a terminal window.


# cd /var/audit/audit_summary.dir/logins
# praudit 20030827183936.20030827232326.logins | more


Example 30–37 Putting Audit Records in XML Format

In this example, the audit records are converted to XML format.


# praudit -x 20030827183214.20030827215318.logins > 20030827.logins.xml

The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.


Troubleshooting

A message similar to the following indicates that you do not have enough privilege to use the praudit command:

praudit: Can't assign 20090408164827.20090408171614.example1 to stdin.