Configuring auditing

Using auditlog to specify the name of the audit event log file

The auditing subsystem generates the name of the log file. It is always a seven digit number containing a date stamp and a sequence number. The first four digits indicate the month and day the log file was created, while the last three digits are the sequence number. Thus, the audit event log file /var/audit/0415477 is a log file created on April 15, with a sequence number of 477.

The administrator may append up to seven characters to the system generated log file name. The additional characters are called the node name. The node name is set by the AUDIT_NODE parameter in the /etc/default/audit file. In the distributed system, there is no default value assigned to the AUDIT_NODE parameter.

You may also use the -p option of the auditlog(ADM) command to specify a node name. This option takes a character string as an argument and appends that string (the node name) to the audit event log file name. Appending a character string to the log file name is useful if you have several machines in a network, because it lets you identify the machines on which the logs were created.

If you have more than one machine generating audit event log files, it is recommended that you add the machine name or an abbreviation of it to the log file name.

For example, assume that you have three machines called beowulf, wiglaf, and unferth. Then, the command

auditlog -p beowulf

would add the string beowulf to the log file created in the /var/audit directory. In that case, the log file name would look like this:


The option string must contain no more than seven characters; if the string is longer than seven characters, auditlog(ADM) prints the following error message:

   event log node must be < 8 characters
In addition, the node name used as the argument to the -p option must not contain a slash. It it does, auditlog prints the following error message:
   event log node may not contain a slash

NOTE: The -p option of auditlog(ADM) can be used only when auditing is disabled. If it is used when auditing is enabled, an error message is printed.

Next topic: Using auditlog to specify the high water mark
Previous topic: Specifying the type and location of the audit event log file with auditlog

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005