Trusted Solaris Audit Administration

Selecting Records from the Audit Trail

Options to the auditreduce(1M) command allow you to select audit records based on file characteristics and record characteristics, as shown in the following table.

Table 3-1 Some Options to the auditreduce Command



Time, date (start, finish) 

-d, -a, -f 

Host (workstation) ID 

-M, -h, -S 

Audit class 


Audit event 


Audit session ID 


Audit User ID - AUID 


Effective and Real User ID - EUID, RUID 

-e, -r 

Effective and Real Group ID - EGID, RGID 

-f, -g 

Process ID - PID 


Sensitivity label 


Information label 




Uppercase options select operations or parameters for files, and lowercase options select parameters for records. When piped through praudit, audit files processed by the auditreduce command are readable. Otherwise, they remain in binary format.

The merging and selecting functions of auditreduce are logically independent. The auditreduce command selects messages from the input files as the records are read, before the files are merged and written to disk.