As an administrator who is assigned the Audit Review rights profile, you can filter audit records for examination by using the auditreduce command. This command can eliminate the less interesting records as it combines the input files.
auditreduce -option argument [optional-file]
where argument is the specific argument that an option requires.
The following is a partial list of record selection options and their corresponding arguments:
Selects an audit class where argument is an audit class, such as ua.
Selects all of the events on a particular date. The date format for argument is yyymmdd. Other date options such as –b and –a select events before and after a particular date respectively.
Selects all of the events attributable to a particular user. For this option, you specify a user name. Another user option, –e , selects all of the events attributable to an effective user ID.
Selects all of the events attributable to a particular group. For this option, specify a group name.
Selects all of the events in a preselected audit class. To use this option, specify an audit class name.
Selects all of the instances of a particular audit event.
Selects by object type. Use this option to select by file, group, file owner, FMRI, PID, and other object types.
The name of an audit file.
The command also uses file selection options which are all in upper case as shown in the following examples. For the full list of options, see the auditreduce(1M) man page.
Example 5-4 Combining and Reducing Audit FilesIn this example, only the login and logout records in audit files that are over a month old are retained. The example assumes that the current date is Sept 27. If you need to retrieve the complete audit trail, you could recover the trail from backup media. The –O option directs the command's output to a file named lo.summary.
# cd /var/audit/audit_summary # auditreduce -O lo.summary -b 20100827 -c lo; compress *lo.summaryExample 5-5 Copying One User's Audit Records to a Summary File
In this example, the records in the audit trail that contain the name of a particular user are merged. The –e option finds the effective user. The –u option finds the login user. The –O option directs the output to the file tamiko.
# cd /var/audit/audit_summary # auditreduce -e tamiko -O tamiko
You can further narrow the displayed information. In this next example, the following are filtered and printed to a file called tamikolo.
Time of user login and logout, specified by the –c option.
Date of Sept 7, 2013, specified by the –d option. The short form of the date is yyyymmdd.
User name of tamiko, specified by the –u option.
Name of machine, specified by the –M option.
# auditreduce -M tamiko -O tamikolo -d 20130907 -u tamiko -c loExample 5-6 Merging Selected Records to a Single File
In this example, login and logout records for a particular day are selected from the audit trail. The records are merged into a target file. The target file is written in a file system other than the file system that contains the audit root directory.
# auditreduce -c lo -d 20130827 -O /var/audit/audit_summary/logins # ls /var/audit/audit_summary/*logins /var/audit/audit_summary/20130827183936.20130827232326.logins