AUDIT_LOG(9) Audit Interfaces AUDIT_LOG(9)NAME
audit_log - Log an audit record
SYNOPSIS
void audit_log(struct audit_context * ctx, gfp_t gfp_mask, int type, const char * fmt, ...);
ARGUMENTS
ctx
audit context
gfp_mask
type of allocation
type
audit message type
fmt
format string to use @...: variable parameters matching the format string
...
variable arguments
DESCRIPTION
This is a convenience function that calls audit_log_start, audit_log_vformat, and audit_log_end. It may be called in any context.
COPYRIGHT Kernel Hackers Manual 2.6. July 2010 AUDIT_LOG(9)
Check Out this Related Man Page
audit(4) Kernel Interfaces Manual audit(4)NAME
audit - audit trail format and other information for auditing
DESCRIPTION
Audit records are generated when users make security-relevant system calls, as well as by self-auditing processes that call (see aud-
write(2)). Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header and a record body. The record header is comprised of sequence number, process ID,
event type, and record body length. The sequence number gives relative order of all records; the process ID belongs to the process being
audited; the event type is a field identifying the type of audited activity; the length is the record body length expressed in bytes.
The record body is the variable-length component of an audit record containing more information about the audited activity. For records
generated by system calls, the body contains the time the audited event completes in either success or failure, and the parameters of the
system calls; for records generated by self-auditing processes, the body consists of the time audwrite(2) writes the records and the high-
level description of the event (see audwrite(2)).
The records in the audit trail are compressed to save file space. When a process is audited the first time, a pid identification record
(PIR) is written into the audit trail containing information that remains constant throughout the lifetime of the process. This includes
the parent's process ID, audit tag, real user ID, real group ID, effective user ID, effective group ID, group ID list, effective, permit-
ted, and retained privileges, compartment ID, and the terminal ID (tty). The PIR is entered only once per process per audit trail.
Information accumulated in an audit trail is analyzed and displayed by (see audisp(1M)).
AUTHOR
was developed by HP.
SEE ALSO audsys(1M), audevent(1M), audisp(1M), audomon(1M), audwrite(2), audit(5), compartments(5), privileges(5).
audit(4)
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Hey,
I was wondering if anyone knew of any good tools out there for collecting/viewing/sorting audit data from Solaris (10) and Linux (SUSE and RHE) platforms? I am required by some government standards to audit certain actions on these systems like login and logouts, file access and actions... (0 Replies)
Hi guys,
I've googled this quite a bit, and tried searching on these forums, but haven't found a solution to my problem. I wanted to inquire about AIX's audit subsystem - more specifically, how to rotate its log file.
So far I've been able to find how to rotate AIX syslog log files, and I... (2 Replies)
How do i find if audit logs is secured inside Solaris 10?
· Verify that that audit log files are secured and owned appropriately.
this is the question (1 Reply)
Hi all
I am trying to add secure and audit logs to logrotate for a client whom wants the logs for a period of 6 months, compressed/zipped weekly for auditing.
I am terrible with logrotate and since there isn't default settings for both logs, I created two new entries in my /etc/logrotate.d/... (7 Replies)
Hey all, I have a problem I was hoping to get some help on. So I have my two auditfiles, audfile1 and audfile2 that can be written to, I want to have the text version of them write to an NFS mount that I have set up. So i already know that i can do .secure/etc/audsp audfile1 > //nfsmount/folder/... (5 Replies)
Dear All,
I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.
After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be... (3 Replies)
Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Hi,
I would like to get the audit log with username, directory and the date whenever user fires 'rm' command anywhere in the file locations.
Is there any possibility to capture the 'rm' command and its parameters from any environment by the single function ?
Please advise me.
... (4 Replies)
Hello all,
I've configured 'audit' service to send the audit logs to a remote log server (by using syslog plugin), which is working fine.
However, there is a problem. audit service also tries to write same information (but in binary format) in /var/audit path.
So, Is there anyway to stop... (2 Replies)
Dear users,
I have SLES 11 and SLES 10 servers.
I'd like to receive an alert when audit log files reach certain percentage of full.
1. Is '/etc/audit/auditd.conf' the right file to modify?
2. I'd like to receive email alert. Can I specify my email in this parameter 'action_mail_acct... (1 Reply)
I am trying to parse the audit log to find a particular date that associated with a user record. The Date and the context of the record that I need to extract from the audit.log are 11-07-2015, the username and the activity he or she performed that day.
Here is my code:
grep -c date -d... (3 Replies)
HI Community,
how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that
Thanks & Regards,
BEn (9 Replies)
Hello Solaris Team,
We would like to implement some audit policy (using a log file) in Solaris 10 in order to record the following data in columns per all users:
1. Date
2. Time
3. User
4. Command executed
5. Terminal
6. IP Address
Could you please help me in order to... (2 Replies)
Hi guys.
I have to set audit logs on certain events on a solaris 10 server.
While I had no problems on linux, I'm going crazy to do the same thing on solaris 10, since I don't have enough expertise on this OS .
I should be able to identify these 4 different events:
1: Tracking all... (2 Replies)