Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

New Feature – Reviewing Multiple Audit Events

The auditreduce command can review several audit events with one iteration of the command. The auditreduce -m command accepts a one or more audit events, separated by a commas. The following example specifies three audit events from the audit trail.

$ auditreduce -m AUE_SYSTEMBOOT,6166,6153 | praudit | more
file,2014-02-14 08:02:25.000-08:00,
header,64,2,system booted,na,system1,2014-02-14 08:02:25.472-08:00
text,booting kernel
header,54,2,init(8),na,system1,2014-02-14 08:05:36.440-08:00
text,booted
return,success,0
header,52,2,system booted,na,system1.example.com,2014-02-14 08:31:29.330-08:00
text,booting kernel
header,42,2,init(8),na,system1.example.com,2014-02-14 08:32:35.109-08:00
text,booted
return,success,0
header,69,2,logout,,system1.example.com,2014-02-14 08:32:49.940-08:00
subject,jandoe,jandoe,staff,jandoe,staff,1075,2258250201,60120 5632 dhcp-whq-twvpn-2-vpnpool-10-159-180-35.vpn.example.com
return,success,0
... 

For more information, see the auditreduce(8) man page.