Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

praudit(1) [osx man page]

PRAUDIT(1)						    BSD General Commands Manual 						PRAUDIT(1)

NAME

     praudit -- print the contents of audit trail files

SYNOPSIS

     praudit [-lnpx] [-r | -s] [-d del] [file ...]

DESCRIPTION

     The praudit utility prints the contents of the audit trail files to the standard output in human-readable form.  If no file argument is spec-
     ified, the standard input is used by default.

     The options are as follows:

     -d del  Specifies the delimiter.  The default delimiter is the comma.

     -l      Prints the entire record on the same line.  If this option is not specified, every token is displayed on a different line.

     -n      Do not convert user and group IDs to their names but leave in their numeric forms.

     -p      Specify this option if input to praudit is piped from the tail(1) utility.  This causes praudit to sync to the start of the next
	     record.

     -r      Prints the records in their raw form.  Show records and event types in a numeric form (also known as raw form).  This option is
	     exclusive from -s.

     -s      Prints the records in their short form. Show records and events in a short textual representation.  This option is exclusive from -r.

     -x      Print audit records in the XML output format.

     If the raw or short forms are not specified, the default is to print the tokens in their raw form.  Events are displayed as per their
     descriptions given in /etc/security/audit_event; UIDs and GIDs are expanded to their names; dates and times are displayed in human-readable
     format.

FILES

     /etc/security/audit_class	  Descriptions of audit event classes.
     /etc/security/audit_event	  Descriptions of audit events.

SEE ALSO

     auditreduce(1), audit(4), auditpipe(4), audit_class(5), audit_event(5)

HISTORY

     The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in
     2004.  It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.

AUTHORS

     This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc.  Addi-
     tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

     The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.

BSD
								  August 4, 2009							       BSD

Check Out this Related Man Page

AUDITREDUCE(1)						    BSD General Commands Manual 					    AUDITREDUCE(1)

NAME

     auditreduce -- select records from audit trail files

SYNOPSIS

     auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]] [-c flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid] [-j id]
		 [-m event] [-o object=value] [-r ruid] [-U] [-u auid] [-v] [file ...]

DESCRIPTION

     The auditreduce utility selects records from the audit trail files based on the specified criteria.  Matching audit records are printed to
     the standard output in their raw binary form.  If no file argument is specified, the standard input is used by default.  Use the praudit(1)
     utility to print the selected audit records in human-readable form.

     The options are as follows:

     -A      Select all records.

     -a YYYYMMDD[HH[MM[SS]]]
	     Select records that occurred after or on the given datetime.

     -b YYYYMMDD[HH[MM[SS]]]
	     Select records that occurred before the given datetime.

     -c flags
	     Select records matching the given audit classes specified as a comma separated list of audit flags.  See audit_control(5) for a
	     description of audit flags.

     -d YYYYMMDD
	     Select records that occurred on a given date.  This option cannot be used with -a or -b.

     -e euid
	     Select records with the given effective user ID or name.

     -f egid
	     Select records with the given effective group ID or name.

     -g rgid
	     Select records with the given real group ID or name.

     -j id   Select records having a subject token with matching ID.

     -m event
	     Select records with the given event name or number. This option can be used more then once to select records of multiple event types.
	     See audit_event(5) for a description of audit event names and numbers.

     -o object=value

	     file    Select records containing path tokens, where the pathname matches one of the comma delimited extended regular expression con-
		     tained in given specification.  Regular expressions which are prefixed with a tilde ('~') are excluded from the search
		     results.  These extended regular expressions are processed from left to right, and a path will either be selected or
		     deslected based on the first match.

		     Since commas are used to delimit the regular expressions, a backslash ('') character should be used to escape the comma if
		     it is a part of the search pattern.

	     msgqid  Select records containing the given message queue ID.

	     pid     Select records containing the given process ID.

	     semid   Select records containing the given semaphore ID.

	     shmid   Select records containing the given shared memory ID.

     -r ruid
	     Select records with the given real user ID or name.

     -U      Use unbuffered output. This option is automatically set when the input file is a character device (e.g. /dev/auditpipe), allowing
	     records to be fully processed as they are generated.

     -u auid
	     Select records with the given audit ID.

     -v      Invert sense of matching, to select records that do not match.

EXAMPLES

     To select all records associated with effective user ID root from the audit log /var/audit/20031016184719.20031017122634:

	   auditreduce -e root 
	       /var/audit/20031016184719.20031017122634

     To select all setlogin(2) events from that log:

	   auditreduce -m AUE_SETLOGIN 
	       /var/audit/20031016184719.20031017122634

     Output from the above command lines will typically be piped to a new trail file, or via standard output to the praudit(1) command.

     Select all records containing a path token where the pathname contains /etc/master.passwd:

	   auditreduce -o file="/etc/master.passwd" 
	       /var/audit/20031016184719.20031017122634

     Select all records containing path tokens, where the pathname is a TTY device:

	   auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" 
	       /var/audit/20031016184719.20031017122634

     Select all records containing path tokens, where the pathname is a TTY except for /dev/ttyp2:

	   auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" 
	       /var/audit/20031016184719.20031017122634

SEE ALSO

     praudit(1), audit_control(5), audit_event(5)

HISTORY

     The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in
     2004.  It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.

AUTHORS

     This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc.  Addi-
     tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

     The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.

BSD
								 January 24, 2004							       BSD
Man Page