Using auditreduce

This section describes a few common uses of auditreduce to analyze and manage data.

How to Display the Whole Audit Log

To display the whole audit trail at once, pipe the output of auditreduce into praudit.

#auditreduce | praudit

How to Print the Whole Audit Log

With a pipe to lp, the output goes to the printer.

# auditreduce | praudit | lp

How to Display User Activity on a Selected Data

In the following example, the system administrator checks to see when a user named fred logged in and logged out on April 13, 1990, by requesting the lo event class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.)

# auditreduce -d 900413 -u fred -c lo | praudit

How to Copy Login/Logout Messages to a Single File

In this example, login/logout messages for a particular day are summarized in a file. The target file is written in a directory other than the normal audit root.

# auditreduce -c lo -d 870413 -O /usr/audit_summary/logins 

The -O option creates an audit file with 14-character timestamps for both start-time and end-time, and the suffix logins:

/usr/audit_summary/19870413000000.19870413235959.logins

How to Clean Up a not_terminated Audit File

Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the machine to switch to a new server, an audit file remains in which the end-time in the file name remains the string not_terminated, even though the file is no longer used for audit records. When such a file is found, you can manually verify that the file is no longer in use and clean it up by specifying the name of the file with the correct options.

# auditreduce -O machine 19870413120429.not_terminated.machine

This creates a new audit file with the correct name (both time stamps), the correct suffix (machine, explicitly specified), and copies all the messages into it.