This section describes a few common uses of auditreduce to
analyze and manage data.
How to Display the Whole Audit Log
To display the whole audit trail at once, pipe the output of auditreduce into praudit.
How to Print the Whole Audit Log
With a pipe to lp, the output goes to the printer.
# auditreduce | praudit | lp
How to Display User Activity from a
In the following example, the system administrator checks to see when a user
named fred logged in and logged out on April 13, 1990, by requesting
the lo event class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.)
# auditreduce -d 900413 -u fred -c lo | praudit
How to Copy Login/Logout Messages
to a Single File
In this example, login/logout messages for a particular day are summarized in
a file. The target file is written in a directory other than the normal audit root.
# auditreduce -c lo -d 870413 -O /usr/audit_summary/logins
The -O option creates an audit file with 14-character
timestamps for both start-time and end-time, and the suffix logins:
How to Clean Up a not_terminated Audit File
Occasionally, if an audit daemon dies while its audit file is still open, or
a server becomes inaccessible and forces the machine to switch to a new server, an
audit file remains in which the end-time in the file name is the string not_terminated, even though the file is no longer used for audit records.
When such a file is found, you can manually verify that the file is no longer in use
and clean it up by specifying the name of the file with the correct options.
# auditreduce -O machine 19870413120429.not_terminated.machine
This creates a new audit file with the correct name (both time stamps), the
correct suffix (machine, explicitly specified), and copies
all the messages into it.