Displaying audit trail information

Additional auditrpt options

Several other auditrpt options can be used to control how records are displayed.

The -b option

By default, audit records are displayed in the order in which events were recorded. The -b option of the auditrpt command allows the log file to be displayed "backwards." In other words, the most recent records are displayed first followed by the older records. This option is useful if you think that the event(s) of interest occurred recently.

NOTE: The -b option requires additional processing and will therefore affect the response time of the command. It may not be combined with the -w option.

The -w option

The -w option of the auditrpt command allows you to display the contents of the log file as it is being written. Its functionality is similar to the -f option of the tail(1) command. This will allow the administrator to monitor system activity as it occurs. The -w option requires that auditing be enabled and that the audit buffer high water mark be set to zero. A high water mark of zero, will cause the auditing subsystem to bypass the audit buffers and write directly to the log file. Enter the following command to set the high water mark to zero:

auditlog -v 0

If the high water mark is not set to zero auditrpt will display the following warning message and continue processing:

data in audit buffer will not be immediately displayed

If a log file is specified with the -w option the following warning message will be displayed and auditrpt will process the current log file.

log file filename ignored

Note that the -w option can not be used if the current log file is a special character device (for example, tape drive). In addition, the -b and the -w options cannot be specified on the same command line.

Next topic: Processing miscellaneous records
Previous topic: Including LWP information in an audit report

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005