PRAUDIT(8) Maintenance Commands and Procedures PRAUDIT(8)
NAME
praudit - print contents of an audit trail file
SYNOPSIS
praudit [
-r|-s] [
-lx] [
-ddel] [
-g filename] [
-p filename] [
filename]...
DESCRIPTION
praudit reads the listed
filenames (or standard input, if no
filename is
specified) and interprets the data as audit trail records as defined in
audit.log(5). By default, times, user and group
IDs (
UIDs and
GIDs,
respectively) are converted to their
ASCII representation. Record type
and event fields are converted to their
ASCII representation. A maximum
of 100 audit files can be specified on the command line.
OPTIONS
The following options are supported:
-ddel Use
del as the field delimiter instead of the default delimiter,
which is the comma. If
del has special meaning for the shell, it must
be quoted. The maximum size of a delimiter is three characters. The
delimiter is not meaningful and is not used when the
-x option is
specified.
-l Print one line per record.
-r Print records in their raw form. Times,
UIDs,
GIDs, record types, and
events are displayed as integers. This option is useful when naming
services are offline. The
-r option and the
-s option are exclusive.
If both are used, a format usage error message is output.
-s Display records in their short form. Numeric fields' ASCII
equivalents are looked up by means of the sources specified in the
/etc/nsswitch.conf file (see
nsswitch.conf(5)). All numeric fields
are converted to ASCII and then displayed. The short
ASCII representations for the record type and event fields are used. This
option and the
-r option are exclusive. If both are used, a format
usage error message is output.
-x Print records in XML form. Tags are included in the output to
identify tokens and fields within tokens. Output begins with a valid
XML prolog, which includes identification of the DTD which can be
used to parse the XML.
-g filename Read group entries from the specified file.
GIDs referenced in the
audit files will be resolved to group names using this file.
GIDs not
referenced in the specified file will be resolved by the host system.
This option is useful when aggregating logs from multiple systems
onto a single host for analysis, allowing
GIDs to be resolved to the
group names appropriate to the source of the audit file. To do this,
copy the
/etc/group file from the system from which the audit file
originates and use that as the argument to the
-g flag.
-p filename Read passwd entries from the specified file.
UIDs referenced in the
audit files will be resolved to user names using this file.
UIDs not
referenced in the specified file will be resolved by the host system.
This option is useful when aggregating logs from multiple systems
onto a single host for analysis, allowing
UIDs to be resolved to the
user names appropriate to the source of the audit file. To do this,
copy the
/etc/passwd file from the system from which the audit file
originates and use that as the argument to the
-p flag.
FILES
/etc/security/audit_event Audit event definition and class mappings.
/etc/security/audit_class Audit class definitions.
/usr/share/lib/xml/dtd Directory containing the versioned DTD file referenced in XML output,
for example,
adt_record.dtd.1.
/usr/share/lib/xml/style Directory containing the versioned XSL file referenced in XML output,
for example,
adt_record.xsl.1.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | See below |
+--------------------+-----------------+
The command stability is evolving. The output format is unstable.
SEE ALSO
audit(2),
getauditflags(3BSM),
getpwuid(3C),
gethostbyaddr(3NSL),
ethers(3SOCKET),
getipnodebyaddr(3SOCKET),
audit.log(5),
audit_class(5),
audit_event(5),
group(5),
nsswitch.conf(5),
passwd(5),
attributes(7),
getent(8) August 13, 2019
PRAUDIT(8)