Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 10 Audit Administration

Viewing Audit Logs

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Auditing accumulates a lot of data. Use the audisp command to select the data that you want to view:

#/usr/sbin/audisp audit_trail

The following options are available with the audisp command:

-f

Displays failed events only.

-p

Displays successful events only.

-c system_call

Displays the selected system call.

-t

Display events that occurred after the given time.

-s

Displays events that occurred before the given time.

-u user-name

Displays information for a specific user.

-l terminal-name

Displays information for a specific terminal.

-e event-name

Displays information for the given event.

> file-name

Writes output to specified file.

It can take a few minutes to prepare the record for viewing when working with large audit logs. When viewing the audit data, be aware of the following anomalies:

  • Audit data can appear inaccurate when programs that call auditable system calls supply incorrect parameters. The audit data shows what the user program passed to the kernel. For example, calling the kill() system call with no parameters produces unpredictable values in the parameter section of the audit record.

  • System calls that take file name arguments may not have device and inode information properly recorded. The values will be -1 if the call does not complete successfully.

  • Auditing the superuser while changing the event or system call parameters will result in a long audit record. For example, when you add an event type to be audited, a record will be produced for each event type and system call that has been enabled for audit, not just for the new event type being added.

Examples of Using the audisp Command

The following examples show audit information displayed using the audisp command:

  • Display the log output on the screen:

    #/usr/sbin/audisp audit_trail

  • Direct the log output to /tmp/mylogoutput:

    #/usr/sbin/audisp audit_trail > /tmp/mylogoutput

  • View successful events only:

    #/usr/sbin/audisp -p audit_trail

  • View activities owned by user joe:

    #/usr/sbin/audisp -u joe audit_trail

  • View activities on terminal, ttypa:

    #/usr/sbin/audisp -l ttypa audit_trail

  • View login events only:

    #/usr/sbin/audisp -e login audit_trail

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.