Using the auditreduce Command

The auditreduce command merges audit records from one or more input audit files. You would usually enter this command from the machine on which all the audit trail files for the entire distributed system are mounted.

Without options, auditreduce merges the entire audit trail (all of the audit files in all of the subdirectories in the audit /etc/security/audit directory) and sends the merged file to standard output.

The praudit command, described in "Using praudit" makes the records human-readable.

These are some of the capabilities provided by options to the auditreduce command:

• Giving output containing audit records generated only by certain audit flags

• Showing audit records generated by one particular user

• Collecting audit records generated on specific dates

How auditreduce Helps in a Distributed System

When multiple machines running Solaris BSM are administered as part of a distributed system, each machine performs auditable events, and each machine writes audit records to its own machine-specific audit file. This simplifies software and is robust in the face of machine failures.

The auditreduce command makes the job of maintaining the whole audit trail practical. Using auditreduce (or shell scripts you write yourself to provide a higher-level interface), you can read the logical combination of all audit files in the system as a single audit trail, without regard to how the records were generated or where they are stored.

The auditreduce program operates on the audit records produced by the audit daemon. Records from one or more audit files are selected and merged into a single, chronologically ordered output file. The merging and selecting functions of auditreduce are logically independent. auditreduce selects messages from the input files as the records are read, before the files are merged and written to disk. Refer to the auditreduce(1M) man page.

Using auditreduce

This section describes a few common uses of auditreduce to analyze and manage data.

How to Display the Whole Audit Log

To display the whole audit trail at once, pipe the output of auditreduce into praudit.

#auditreduce | praudit

How to Print the Whole Audit Log

With a pipe to lp, the output goes to the printer.

# auditreduce | praudit | lp

How to Display User Activity on a Selected Data

In the following example, the system administrator checks to see when a user named fred logged in and logged out on April 13, 1990, by requesting the lo event class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.)

# auditreduce -d 900413 -u fred -c lo | praudit

How to Copy Login/Logout Messages to a Single File

In this example, login/logout messages for a particular day are summarized in a file. The target file is written in a directory other than the normal audit root.

# auditreduce -c lo -d 870413 -O /usr/audit_summary/logins 

The -O option creates an audit file with 14-character timestamps for both start-time and end-time, and the suffix logins:

/usr/audit_summary/19870413000000.19870413235959.logins

How to Clean Up a not_terminated Audit File

Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the machine to switch to a new server, an audit file remains in which the end-time in the file name remains the string not_terminated, even though the file is no longer used for audit records. When such a file is found, you can manually verify that the file is no longer in use and clean it up by specifying the name of the file with the correct options.

# auditreduce -O machine 19870413120429.not_terminated.machine

This creates a new audit file with the correct name (both time stamps), the correct suffix (machine, explicitly specified), and copies all the messages into it.

Other Useful auditreduce Options

auditreduce has many additional options described in the man page. Notice that the uppercase options select operations or parameters for files, and the lowercase options select parameters for records. This subsection shows how to utilize two more useful options.

The date-time options -b and -a allow you to specify records before or after a particular day and time. A day begins at yyyymmdd00:00:00 and ends at yyyymmdd23:59:59. The six parameters of a day are: year, month, day, hour, minute, and second. The digits (19) of the year are assumed and need not be specified.

If -a is not specified, auditreduce defaults to 00:00:00, January 1, 1970. If -b is not specified, auditreduce defaults to the current time of day (GMT). The -d option selects a particular 24-hour period, as shown in "How to Copy Login/Logout Messages to a Single File".

The auditreduce -a command with the date shown in the following screen example sends all audit records created after midnight on July 15, 1991, to praudit.

# auditreduce -a 91071500:00:00 | praudit 

The auditreduce -b command with the same date shown above sends all audit records created before midnight on July 15, 1991 to praudit.

# auditreduce -b 91071500:00:00 | praudit 

The message type selection for auditreduce (-m option) accepts either numeric message identifiers or AUE_xxxxx codes. auditreduce rejects an incorrect format, but does not describe the correct format.