AULAST:(8) System Administration Utilities AULAST:(8)NAME
aulast - a program similar to last
SYNOPSIS
aulast [ options ] [ user ] [ tty ]
DESCRIPTION
aulast is a program that prints out a listing of the last logged in users similarly to the program last and lastb. Aulast searches back
through the audit logs or the given audit log file and displays a list of all users logged in (and out) based on the range of time in the
audit logs. Names of users and tty's can be given, in which case aulast will show only those entries matching the arguments. Names of ttys
can be abbreviated, thus aulast 0 is the same as last tty0.
The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was
created.
The main difference that a user will notice is that aulast print events from oldest to newest, while last prints records from newest to
oldest. Also, the audit system is not notified each time a tty or pty is allocated, so you may not see quite as many records indicating
users and their tty's.
OPTIONS --bad Report on the bad logins.
--extract
Write raw audit records used to create the displayed report into a file aulast.log in the current working directory.
-ffile Use the file instead of the audit logs for input.
--proof
Print out the audit event serial numbers used to determine the preceding line of the report. A Serial number of 0 is a place holder
and not an actual event serial number. The serial numbers can be used to examine the actual audit records in more detail. Also an
ausearch query is printed that will let you find the audit records associated with that session.
--stdin
Take audit records from stdin.
EXAMPLES
To see this month's logins
ausearch --start this-month --raw | aulast --stdin
SEE ALSO last(1), lastb(1), ausearch(8), aureport(8).
AUTHOR
Steve Grubb
Red Hat Nov 2008 AULAST:(8)
Check Out this Related Man Page
audit(4) Kernel Interfaces Manual audit(4)NAME
audit - audit trail format and other information for auditing
DESCRIPTION
Audit records are generated when users make security-relevant system calls, as well as by self-auditing processes that call (see aud-
write(2)). Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header and a record body. The record header is comprised of sequence number, process ID,
event type, and record body length. The sequence number gives relative order of all records; the process ID belongs to the process being
audited; the event type is a field identifying the type of audited activity; the length is the record body length expressed in bytes.
The record body is the variable-length component of an audit record containing more information about the audited activity. For records
generated by system calls, the body contains the time the audited event completes in either success or failure, and the parameters of the
system calls; for records generated by self-auditing processes, the body consists of the time audwrite(2) writes the records and the high-
level description of the event (see audwrite(2)).
The records in the audit trail are compressed to save file space. When a process is audited the first time, a pid identification record
(PIR) is written into the audit trail containing information that remains constant throughout the lifetime of the process. This includes
the parent's process ID, audit tag, real user ID, real group ID, effective user ID, effective group ID, group ID list, effective, permit-
ted, and retained privileges, compartment ID, and the terminal ID (tty). The PIR is entered only once per process per audit trail.
Information accumulated in an audit trail is analyzed and displayed by (see audisp(1M)).
AUTHOR
was developed by HP.
SEE ALSO audsys(1M), audevent(1M), audisp(1M), audomon(1M), audwrite(2), audit(5), compartments(5), privileges(5).
audit(4)