The auditreduce Command (System Administration Guide: Security Services)

System Administration Guide: Security Services

The `auditreduce` Command

Use the auditreduce command to merge audit records from one or more input audit files. The command can also be used to perform a post selection of audit records. See the auditreduce(1M) man page. To merge the entire audit trail, run this command on the audit server. The audit server is the machine that mounts all the audit file systems for the installation.

The auditreduce command enables you to track all auditable actions on multiple machines from a single location. The command can read the logical combination of all audit files as a single audit trail. You must identically configure all machines at a site for auditing, and create servers and local directories for the audit log files. The auditreduce command ignores how the records were generated or where they are stored. Without options, the auditreduce command merges audit records from all the audit files in all of the subdirectories in the audit root directory. Typically, /etc/security/audit is the audit root directory. The auditreduce command sends the merge result to standard output. You can also place the result into a single, chronologically ordered output file. The file contains binary data.

The auditreduce command also can select particular types of records for analysis. The merging functions and selecting functions of the auditreduce command are logically independent. auditreduce captures data from the input files as the records are read, before the files are merged and then written to disk.

The praudit command makes the binary output of the auditreduce command readable.

By specifying options to the auditreduce command, you can also do the following:

Request audit records that were generated by only certain audit flags
Request audit records that were generated by one particular user
Request audit records that were generated on specific dates

With no arguments, auditreduce checks the subdirectories within the /etc/security/audit directory, the default audit root directory. The command checks for a files directory in which the start-time.end-time.hostname files reside. The auditreduce command is very useful when audit data resides in separate directories. Figure 23–1 illustrates audit data in separate directories for different hosts. Figure 23–2) illustrates audit data in separate directories for different audit servers.

Figure 23–1 Audit Trail Storage Sorted by Host

Diagram shows a default audit root directory whose top directory names are host names.

Figure 23–2 Audit Trail Storage Sorted by Server

Diagram shows a default audit root directory whose top directory names are server names.

If the partition for /etc/security/audit is very small, you might not store audit data in the default directory. You can pass the auditreduce command another directory by using the -R option:

# auditreduce -R /var/audit-alt

You can also specify a particular subdirectory by using the -S option:

# auditreduce -S /var/audit-alt/host1

You can direct auditreduce to process only certain audit log files by specifying them as command arguments:

# auditreduce /var/audit/egret/files/2001*.2001*egret

For other options and additional examples, see the auditreduce(1M) man page.