praudit - print contents of an audit trail file
praudit [-lrsx] [-ddel] [filename]...
praudit reads the listed filenames (or standard input, if no filename is specified) and interprets the data as audit trail records as defined in the audit.log(5) man page. By default, times, user and group IDs (UIDs and GIDs respectively) are converted to their ASCII representation. Record type and event fields are converted to their ASCII representation. Only users with the PRIV_FILE_DAC_READ privilege can use the praudit utility. If the Trusted Extensions have been enabled, users must have the PRIV_SYS_TRANS_LABEL privilege. Both these privileges are included in the Audit Review rights profile.
The following options are supported:
Use del as the field delimiter instead of the default delimiter, which is the comma. If del has special meaning for the shell, it must be quoted. The maximum size of a delimiter is three characters. The delimiter is not meaningful and is not used when the –x option is specified.
Print one line per record.
Print records in their raw form. Times, UIDs, GIDs, record types, and events are displayed as integers. This option is useful when naming services are offline. The –r option and the –s option are exclusive. If both are used, a format usage error message is output.
Display records in their short form. Numeric fields' ASCII equivalents are looked up by means of the sources specified in the /etc/nsswitch.conf file (see nsswitch.conf(5)). All numeric fields are converted to ASCII and then displayed. The short ASCII representations for the record type and event fields are used. This option and the –r option are exclusive. If both are used, a format usage error message is output.
Print records in XML form. Tags are included in the output to identify tokens and fields within tokens. Output begins with a valid XML prolog, which includes identification of the DTD which can be used to parse the XML.
Audit event definition and class mappings.
Audit class definitions.
Directory containing the versioned DTD file referenced in XML output, for example, adt_record.dtd.1.
Directory containing the versioned XSL file referenced in XML output, for example, adt_record.xsl.1.
To print a subset of audit records, use the auditreduce(8) utility to filter the contents of the audit log to select records for printing before passing them to praudit.
# auditreduce -c lo /var/audit/* | praudit -x | xsltproc - > logins.html
See attributes(7) for descriptions of the following attributes:
|
The command stability is Committed. The output format is Uncommitted.
xsltproc(1), getpwuid(3C), audit.log(5), audit_class(5), audit_event(5), group(5), nsswitch.conf(5), passwd(5), attributes(7), privileges(7), auditrecord(8), auditreduce(8), getent(8)