This section describes a few common uses of auditreduce to analyze and manage data.
To display the whole audit trail at once, pipe the output of auditreduce into praudit.
#auditreduce | praudit |
With a pipe to lp, the output goes to the printer.
# auditreduce | praudit | lp |
In the following example, the system administrator checks to see when a user named fred logged in and logged out on April 13, 1990, by requesting the lo event class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.)
# auditreduce -d 900413 -u fred -c lo | praudit |
In this example, login/logout messages for a particular day are summarized in a file. The target file is written in a directory other than the normal audit root.
# auditreduce -c lo -d 870413 -O /usr/audit_summary/logins |
The -O option creates an audit file with 14-character timestamps for both start-time and end-time, and the suffix logins:
/usr/audit_summary/19870413000000.19870413235959.logins |
Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the machine to switch to a new server, an audit file remains in which the end-time in the file name is the string not_terminated, even though the file is no longer used for audit records. When such a file is found, you can manually verify that the file is no longer in use and clean it up by specifying the name of the file with the correct options.
# auditreduce -O machine 19870413120429.not_terminated.machine |
This creates a new audit file with the correct name (both time stamps), the correct suffix (machine, explicitly specified), and copies all the messages into it.