How to Display Audit Record Formats
The bsmrecord command displays the audit id, audit class, selection mask, and record format of an audit event. The command operates on records in the audit_class and audit_event files.
The -a option in the following command lists all audit event record formats. The -h option puts the list in HTML format. The resulting file can be displayed in a browser.
Use the bsmrecord command to put the format of all audit event records in an HTML file.
% bsmrecord -a -h > audit.events.html |
You can display the *html file in a browser. Use the browser's Find tool to find specific records.
See the bsmrecord(1M) man page for more information.
Example—Displaying the Audit Record Formats of a Program
In this example, the format of all audit records that are generated by the login program are displayed.
% bsmrecord -p login
terminal login
program /usr/sbin/login see login(1)
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
text error message or "successful login"
return
login: logout
program /usr/sbin/login see login(1)
event ID 6153 AUE_logout
class lo (0x00001000)
header
subject
text "logout" username
return
rlogin
program /usr/sbin/login see login(1) - rlogin
event ID 6155 AUE_rlogin
class lo (0x00001000)
header
subject
text success/fail message
return
telnet login
program /usr/sbin/login see login(1) - telnet
event ID 6154 AUE_telnet
class lo (0x00001000)
header
subject
text success/fail message
return
|
Example—Displaying the Audit Record Formats of an Audit Class
In this example, the format of all audit records in the fd class are displayed.
% bsmrecord -c fd
ftruncate
Not used.
truncate
Not used.
unlink
system call unlink see unlink(2)
event ID 6 AUE_UNLINK
class fd (0x00000020)
header
path
[attribute]
subject
return
|
- © 2010, Oracle Corporation and/or its affiliates