test

Trusted Solaris Audit Administration

Audit Files

Each audit file is a self-contained collection of records; the file's name identifies the time span during which the records were generated and the system that generated them. The contents of the audit files are binary, protected at the sensitivity label admin_high, and accessible in a profile shell only by an administrative role with the Audit Review profile.

Audit File Naming

Audit files that are complete have names of the following form: start-time.finish-time.system, where start-time is the time of the first audit record in the audit file, finish-time is the time of the last record, and system is the name of the system that generated the file. Some examples of these names can be found in Example of a Closed Audit File Name.

If the audit log file is still active, it has a name of the following form: start-time.not_terminated.system

How Audit File Names Are Used

The file name time stamps are used by the auditreduce command to locate files containing records for the specific time range that has been requested. This is important because there may be a month's supply or more of audit files online, and searching them all for records generated in the last 24 hours would be expensive.

Time-Stamp Format and Interpretation

The start-time and finish-time are time stamps with one-second resolution; they are specified in Greenwich mean time. The format is four digits for the year, followed by two for each month, day, hour, minute, and second, as shown here: YYYYMMDDHHMMSS

The time stamps are in GMT to ensure that they will sort in proper order even across a daylight saving time boundary. Because they are in GMT, the date and hour must be translated to the current time zone to be meaningful; beware of this whenever manipulating these files with standard file commands rather than with auditreduce.

Example of a File Name for a Still-Active File

The following shows the format of a file name of a still-active file: YYYYMMDDHHMMSS.not_terminated.hostname

Here is an example: 

19900327225243.not_terminated.patchwork

The audit log files are named by the beginning date, so the example above was started in 1997, on March 27, at 10:52:43 PM, GMT. The not_terminated in the file name means either that the file is still active or that auditd was unexpectedly interrupted. The name patchwork at the end is the host name whose audit data is being collected.

Example of a Closed Audit File Name

The following shows the format of the name of a closed audit log file: YYYYMMDDHHMMSS.YYYYMMDDHHMMSS.hostname

Here is an example: 

19970320005243.19970327225351.patchwork

The example above was started in 1997, on March 20, at 12:52:43 AM, GMT. The file was closed March 27, at 10:53:51 PM, GMT. The name patchwork at the end is the host name of the system whose audit data is being collected.