The auditreduce Command (System Administration Guide: Security Services)

System Administration Guide: Security Services

The `auditreduce` Command

Use the auditreduce command to merge audit records from one or more input audit files or to perform a post selection of audit records. See the auditreduce(1M) man page. To merge the entire audit trail, you can run this command on the machine on which all the audit file systems for the installation are mounted.

The auditreduce command enables you to track all auditable actions on multiple machines from a single location. If you identically configure all machines at an installation for auditing, and create servers and local directories for the audit log files, then the auditreduce command can read the logical combination of all audit files in the installation as a single audit trail. auditreduce ignores how the records were generated or where they are stored. Without options, the auditreduce command merges audit records from all the audit files in all of the subdirectories in the audit root directory (/etc/security/audit) and sends the result to standard output. You can also place it into a single, chronologically ordered output file. The file contains binary data.

The auditreduce command also can select particular types of records for analysis. The merging and selecting functions of auditreduce are logically independent. auditreduce captures data from the input files as the records are read, before the files are merged and written to disk.

The praudit command makes the binary output of auditreduce readable.

By specifying options to the auditreduce command, you can also do the following:

Request audit records that were generated by only certain audit flags
Request audit records that were generated by one particular user
Request audit records that were generated on specific dates

With no arguments, auditreduce checks the subdirectories within the /etc/security/audit directory, the default audit root directory. The command checks for a files directory in which the start-time.end-time.hostname files reside. The auditreduce command is very useful when the audit data for different hosts (Figure 25–1) or for different audit servers (Figure 25–2) reside in separate directories.

Figure 25–1 Audit Trail Storage Sorted by Host

Diagram shows a default audit root directory whose top directory names are host names.

Figure 25–2 Audit Trail Storage Sorted by Server

Diagram shows a default audit root directory whose top directory names are server names.

When you do not store audit data in the default directory, perhaps because the partition for /etc/security/audit is very small, you can pass the auditreduce command another directory by using the -R option:

# auditreduce -R /var/audit-alt

You can also specify a particular subdirectory by using the -S option:

# auditreduce -S /var/audit-alt/host1

You can direct auditreduce to process only certain audit log files by specifying them as command arguments:

# auditreduce /var/audit/egret/files/2001*.2001*egret

For other options and additional examples, see the auditreduce(1M) man page.