auditlog(ADM)

Synopsis

Description

The log file attributes that may be displayed and modified are the path to the event log file, a node name for the event log file, the value for the high water mark of the audit buffer(s), the maximum size of the event log file, the action taken when event log file is full, the next event log to be used, a node name for the next event log file and the program to be run when a log switch occurs. Additionally, the current status of auditing and the action to be taken after an audit error occurs are displayed. While auditing is enabled, execution of this command will result in an audit record being written to the event log file via the auditdmp system call. Without any options or arguments, auditlog will display the following information (Note: the default values are displayed first):

Current Status of Auditing: OFF| ON
Current Event Log: /var/audit/MMDD###| [path]MMDD###[node]
Current Audit Buffer High Water Mark: ADT_BSIZE bytes| high_water bytes
Current Maximum File Size Setting: none| max_size blocks
Action To Be Taken Upon Full Event Log: auditing disabled|system shutdown|log switch
Action To Be Taken Upon Error: auditing disabled|system shutdown
Next Event Log To Be Used: none| [next_path]MMDD###[next_node]
Program to Run When Event Log Is Full: none| pgm

The system reverts to the default values when auditing is stopped and subsequently restarted.

The auditlog command has the following options:

-P path

The -P option specifies the absolute pathname to the primary event log. If the path argument is not a full pathname to an existing directory or character special file, an error message is printed (see ``Diagnostics''). The -P option cannot be specified while auditing is enabled.

If the argument to -P is a valid directory, the next invocation of auditon will create a regular file in the directory path, with a name that includes the current month and day, followed by a three digit sequence number (for example, 1225001).

The valid range of sequence numbers is 001 to 999, and the default event log file to be used is the regular file /var/audit/MMDD###.

-p node

The -p option allows you to append an additional seven characters to the system generated event log file name. The -p option cannot be specified while auditing is enabled, and it is ignored if the event log is a character special file. For example, the command

   auditlog -p abcdefg

creates the audit log file /var/audit/MMDD###abcdefg. If the node is larger than seven characters or if it contains a slash, an error message is displayed (see ``Diagnostics'').

-v high_water

The -v option specifies the high_water mark of the audit buffer(s). The default setting is equal to the audit buffer size (ADT_BSIZE). The high_water mark must be either zero (0) or a positive integer less than or equal to the size of the audit buffer (ADT_BSIZE). If the value is not valid, an error message is displayed (see ``Diagnostics''). The high_water mark can be set while auditing is disabled or can be set dynamically while auditing is enabled to vary the frequency at which records are written to the audit log file. A setting of zero forces all audit records to be written directly to the audit log file. When used with the -w of auditrpt, this allows the administrator to monitor events as they occur.

-x max_size

The -x option specifies the maximum file size, in 512 byte blocks, for all event logs that are regular files. If this option is used with event logs that are not regular files, auditlog prints a warning message (see ``Diagnostics'') and ignores the option.

max_size must be greater than or equal to the size of the audit buffer tunable parameter ADT_BSIZE. If the value of max_size is zero, the size of the event log file is bounded by the amount of available free space on the filesystem. The default value of none implies a max_size setting of zero.

-s

The -s option specifies that the system will be shut down when the event log is full. An event log file is considered full when either a regular file log reaches max_size, if specified, or the filesystem that the log resides in runs out of space, or a character special file log (for example, tape) cannot hold any more data. If this action is chosen and the event log file becomes full, the system will be shut down immediately.

-d

The -d option specifies that auditing will be disabled when the event log becomes full. An event log file is considered full when either a regular file log reaches max_size, if specified, or the filesystem that the log resides in runs out of space, or a character special file log (for example, tape) cannot hold any more data.

-A next_path

The -A option indicates that a log switch is to occur when the event log file becomes full and specifies the absolute pathname to the alternate event log. An event log file is considered full when either a regular file log reaches max_size, if specified, or the filesystem that the log resides in runs out of space, or a character special file log (for example, tape) cannot hold any more data. If the next_path argument is not a full pathname to an existing directory or character special device, an error message is printed (see ``Diagnostics'').

When the log full condition is met, and next_path is a valid directory, the alternate log file is created relative to next_path. The filename format is the current month and day, followed by a three digit sequence number (for example, 1231002).

-a next_node

The -a option allows you to append an additional seven characters to the system generated alternate event log file name. For example, the command

   auditlog -a abcdefg

will create the file /var/audit/MMDD###abcdefg when a log switch occurs.

If the next_node is larger than seven characters or if it contains a slash, an error message is displayed (see ``Diagnostics''). If the alternate log file is a character special file, this option is ignored.

-n pgm

The -n option specifies either a shell file or binary executable (pgm) that will be run when a log switch occurs. The -n option may be used only if an alternate log is specified. The program will be invoked by init.

Files

Diagnostics

1

usage: auditlog . . .

Invalid command syntax.

1

invalid max_size value specified
Audit Log File Size Must be >=# (512 byte)blocks

1

invalid high water mark specified
Audit Buffer High Water Mark Must Be >= 0 or <=current buffer size in bytes bytes

1

cannot open/access path or device path/device name

An invalid argument has been supplied to one of the -P, -A or -n options.

1

pathname component too long

1

event log node must be < 8 characters

1

event log node may not contain a slash

1

full pathname not specified

1

program is not a regular file

1

program is not an executable file

3

system service not installed

The audit package is not installed.

4

Permission denied

Failure because of insufficient privilege.

6

auditbuf() failed ABUFGET, errno= error

A failure occurred while retrieving the audit buffer attributes.

7

auditbuf() failed ABUFSET, errno= error

A failure occurred while setting the audit buffer attributes.

8

auditlog() failed ALOGGET, errno= error

A failure occurred while retrieving the audit log attributes.

9

auditlog() failed ALOGSET, errno= error

A failure occurred while setting the audit log attributes.

12

auditctl() failed ASTATUS, errno= error

A failure occurred while retrieving the auditing status.

24

unable to allocate space

24

argvtostr() failed

34

"-option" option not allowed while auditing is enabled

The following warning or informational messages may be printed:

max_size value applies only to regular files

This warning message is printed if you attempt to use the -x option and the log file is a character special file.

cannot access /etc/default/audit

The system is unable to open the file that contains information about the default behavior of the auditing subsystem.

check the value of the default parameter in the /etc/default/audit file

The value of the default parameter in the /etc/default/audit file did not pass validation tests.

Notes

Preserving Log Options on Alternate Logs:
If you enable auditing with the auditon(ADM) command, you may also specify log file options and an alternate log using the auditlog(ADM) command. Currently, the auditlog command does not pass file size and other options set on the original log file to the alternate log file. The following example shows you how to create a script that will be executed automatically on system startup and when an audit log switch occurs. This script sets options on the alternate log file and notifies root of the log switch. Notification is important, so that the administrator can archive old log files and prevent the file system used for audit logs from becoming full. Do the following as root:

1. Create a file named /var/audit/switchlog, with the following content:

      #!/bin/sh
      {
      date
      size=4000000
      dir=/var/audit
      /usr/sbin/auditlog -x $size -A $dir -n /var/audit/switchlog
      /usr/bin/mailx -s "/var/audit/switchlog: NOTICE: check
      /var/audit/switched.log" root
      } >>/var/audit/switched.log 2>&1
   

   The log size is given in blocks (about 2GB in this example), and the directory used is the default audit log directory. This can be adjusted as necessary. The diagnostic output of all commands (including the time of the switch) is written to the file /var/audit/switched.log, which can be checked by the administrator when the email sent by the script is received.

2. Create a file named /etc/rc1.d/S99switchlog, with the same options as used in the switchlog script, above:

      /usr/sbin/auditlog -x 4000000 -A /var/audit -n /var/audit/switchlog
   

3. Make sure /etc/rc1.d/S99switchlog is executable:

      chmod 755 /etc/rc1.d/S99switchlog
   

The /etc/rc1.d/S99switchlog script sets the audit log parameters as desired each time the system boots; since this includes running the var/audit/switchlog script on the next log switch, the desired audit log parameters will be set automatically on every successive log switch.

References