Tribblix: manual page: praudit.8

PRAUDIT(8) Maintenance Commands and Procedures PRAUDIT(8)

NAME

praudit - print contents of an audit trail file

SYNOPSIS

praudit [-r|-s] [-lx] [-ddel] [-g filename] [-p filename] [filename]...

DESCRIPTION

praudit reads the listed filenames (or standard input, if no filename
is specified) and interprets the data as audit trail records as
defined in audit.log(5). By default, times, user and group IDs (UIDs
and GIDs, respectively) are converted to their ASCII representation.
Record type and event fields are converted to their ASCII
representation. A maximum of 100 audit files can be specified on the
command line.

OPTIONS

The following options are supported:

-ddel

Use del as the field delimiter instead of the default delimiter,
which is the comma. If del has special meaning for the shell, it
must be quoted. The maximum size of a delimiter is three
characters. The delimiter is not meaningful and is not used when
the -x option is specified.

-l

Print one line per record.

-r

Print records in their raw form. Times, UIDs, GIDs, record types,
and events are displayed as integers. This option is useful when
naming services are offline. The -r option and the -s option are
exclusive. If both are used, a format usage error message is
output.

-s

Display records in their short form. Numeric fields' ASCII
equivalents are looked up by means of the sources specified in
the /etc/nsswitch.conf file (see nsswitch.conf(5)). All numeric
fields are converted to ASCII and then displayed. The short ASCII
representations for the record type and event fields are used.
This option and the -r option are exclusive. If both are used, a
format usage error message is output.

-x

Print records in XML form. Tags are included in the output to
identify tokens and fields within tokens. Output begins with a
valid XML prolog, which includes identification of the DTD which
can be used to parse the XML.

-g filename

Read group entries from the specified file. GIDs referenced in
the audit files will be resolved to group names using this file.
GIDs not referenced in the specified file will be resolved by the
host system. This option is useful when aggregating logs from
multiple systems onto a single host for analysis, allowing GIDs
to be resolved to the group names appropriate to the source of
the audit file. To do this, copy the /etc/group file from the
system from which the audit file originates and use that as the
argument to the -g flag.

-p filename

Read passwd entries from the specified file. UIDs referenced in
the audit files will be resolved to user names using this file.
UIDs not referenced in the specified file will be resolved by the
host system. This option is useful when aggregating logs from
multiple systems onto a single host for analysis, allowing UIDs
to be resolved to the user names appropriate to the source of the
audit file. To do this, copy the /etc/passwd file from the system
from which the audit file originates and use that as the argument
to the -p flag.

FILES

/etc/security/audit_event

Audit event definition and class mappings.

/etc/security/audit_class

Audit class definitions.

/usr/share/lib/xml/dtd

Directory containing the versioned DTD file referenced in XML
output, for example, adt_record.dtd.1.

/usr/share/lib/xml/style

Directory containing the versioned XSL file referenced in XML
output, for example, adt_record.xsl.1.

ATTRIBUTES