Using the new admhist command, administrators can view a summary of successful privileged execution audit records in a helpful, easy-to-understand format. The admhist command extracts from the audit trail those commands that successfully used an administrative privilege, so the output displays commands that are more likely to have modified the system.
The admhist command pulls successful audit records from the privileged execution (pe) audit class and displays them in summary form. See also New Feature – Per-Privilege Logging of Audit Events.
Using the admhist command options, you can view events that occurred during a specified time period, events from a specified zone name, or events in one or more functional areas labeled with audit tags as described in New Feature – Filtering Audit Records by Functional Area.
For example, the following command displays successful events that occurred in zone1.
$ pfexec ; admhist -z zone1
The following command displays successful administrative commands that occurred on the system in the last six hours.
$ admhist -a "last 6 hours"
For further information, see the admhist(8) man page.