Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditlog(1M) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auditoff(1M)

auditon(1M)

auditrpt(1M)

crash(1M)

defadm(1M)






       auditlog(1M)                                            auditlog(1M)


       NAME
             auditlog - display or set audit log file attributes

       SYNOPSIS
             auditlog [-P path][-p node] [-v high_water] [-x max_size]
                   [-s | -d | -A next_path [-a next_node] [-n pgm]
                   | -a next_node [-n pgm]]

       DESCRIPTION
             The auditlog shell level command allows the administrator with
             the appropriate privileges to display and change audit log
             file attributes.  The privileges required are audit and
             setplevel.

             The log file attributes that may be displayed and modified are
             the path to the event log file, a node name for the event log
             file, the value for the high water mark of the audit
             buffer(s), the maximum size of the event log file, the action
             taken when event log file is full, the next event log to be
             used, a node name for the next event log file and the program
             to be run when a log switch occurs.  Additionally, the current
             status of auditing and the action to be taken after an audit
             error occurs are displayed.  While auditing is enabled,
             execution of this command will result in an audit record being
             written to the event log file via the auditdmp system call.
             Without any options or arguments, auditlog will display the
             following information (Note: the default values are displayed
             first):

             Current Status of Auditing:OFF| ON
             Current Event Log:   /var/audit/MMDD###| [path]MMDD###[node]
             Current Audit Buffer High Water Mark:ADT_BSIZE bytes| high_water bytes
             Current Maximum File Size Setting:none| max_size blocks
             Action To Be Taken Upon Full Event Log:auditing disabled|system shutdown|log switch
             Action To Be Taken Upon Error:auditing disabled|system shutdown
             Next Event Log To Be Used:none| [next_path]MMDD###[next_node]
             Program to Run When Event Log Is Full:none| pgm

             The system reverts to the default values when auditing is
             stopped and subsequently restarted.

             The auditlog command has the following options:

             -P path        The -P option specifies the absolute pathname
                            to the primary event log.  If the path argument
                            is not a full pathname to an existing directory


                           Copyright 1994 Novell, Inc.               Page 1













      auditlog(1M)                                            auditlog(1M)


                           or character special file, an error message is
                           printed (see DIAGNOSTICS).  The -P option
                           cannot be specified while auditing is enabled.

                           If the argument to -P is a valid directory, the
                           next invocation of auditon will create a
                           regular file in the directory path, with a name
                           that includes the current month and day,
                           followed by a three digit sequence number (for
                           example, 1225001).

                           The valid range of sequence numbers is 001 to
                           999, and the default event log file to be used
                           is the regular file /var/audit/MMDD###.

            -p node        The -p option allows you to append an
                           additional seven characters to the system
                           generated event log file name.  The -p option
                           cannot be specified while auditing is enabled,
                           and it is ignored if the event log is a
                           character special file.  For example, the
                           command
                           auditlog -p abcdefg

                           creates the audit log file
                           /var/audit/MMDD###abcdefg.  If the node is
                           larger than seven characters or if it contains
                           a slash, an error message is displayed (see
                           DIAGNOSTICS).

            -v high_water  The -v option specifies the high_water mark of
                           the audit buffer(s).  The default setting is
                           equal to the audit buffer size (ADT_BSIZE).
                           The high_water mark must be either zero (0) or
                           a positive integer less than or equal to the
                           size of the audit buffer (ADT_BSIZE).  If the
                           value is not valid, an error message is
                           displayed (see DIAGNOSTICS).  The high_water
                           mark can be set while auditing is disabled or
                           can be set dynamically while auditing is
                           enabled to vary the frequency at which records
                           are written to the audit log file.  A setting
                           of zero forces all audit records to be written
                           directly to the audit log file.  When used with
                           the -w of auditrpt, this allows the
                           administrator to monitor events as they occur.


                          Copyright 1994 Novell, Inc.               Page 2













       auditlog(1M)                                            auditlog(1M)


             -x max_size    The -x option specifies the maximum file size,
                            in 512 byte blocks, for all event logs that are
                            regular files.  If this option is used with
                            event logs that are not regular files, auditlog
                            prints a warning message (see DIAGNOSTICS) and
                            ignores the option.

                            max_size must be greater than or equal to the
                            size of the audit buffer tunable parameter
                            ADT_BSIZE.  If the value of max_size is zero,
                            the size of the event log file is bounded by
                            the amount of available free space on the file
                            system.  The default value of none implies a
                            max_size setting of zero.

             -s             The -s option specifies that the system will be
                            shut down when the event log is full.  An event
                            log file is considered full when either a
                            regular file log reaches max_size, if
                            specified, or the file system that the log
                            resides in runs out of space, or a character
                            special file log (for example, tape) cannot
                            hold any more data.  If this action is chosen
                            and the event log file becomes full, the system
                            will be shut down immediately.

             -d             The -d option specifies that auditing will be
                            disabled when the event log becomes full.  An
                            event log file is considered full when either a
                            regular file log reaches max_size, if
                            specified, or the file system that the log
                            resides in runs out of space, or a character
                            special file log (for example, tape) cannot
                            hold any more data.

             -A next_path   The -A option indicates that a log switch is to
                            occur when the event log file becomes full and
                            specifies the absolute pathname to the
                            alternate event log.  An event log file is
                            considered full when either a regular file log
                            reaches max_size, if specified, or the file
                            system that the log resides in runs out of
                            space, or a character special file log (for
                            example, tape) cannot hold any more data.  If
                            the next_path argument is not a full pathname
                            to an existing directory or character special


                           Copyright 1994 Novell, Inc.               Page 3













      auditlog(1M)                                            auditlog(1M)


                           device, an error message is printed (see
                           DIAGNOSTICS).

                           When the log full condition is met, and
                           next_path is a valid directory, the alternate
                           log file is created relative to next_path.  The
                           filename format is the current month and day,
                           followed by a three digit sequence number (for
                           example, 1231002).

            -a next_node   The -a option allows you to append an
                           additional seven characters to the system
                           generated alternate event log file name.  For
                           example, the command
                                auditlog -a abcdefg

                           will create the file /var/audit/MMDD###abcdefg
                           when a log switch occurs.

                           If the next_node is larger than seven
                           characters or if it contains a slash, an error
                           message is displayed (see DIAGNOSTICS).  If the
                           alternate log file is a character special file,
                           this option is ignored.

            -n pgm         The -n option specifies either a shell file or
                           binary executable (pgm) that will be run when a
                           log switch occurs.  The -n option may be used
                           only if an alternate log is specified.  The
                           program will be invoked by init.

      DIAGNOSTICS
            If successful, the auditlog command exits with a value of
            zero.  If there are errors, it exits with one of the following
            values and prints the corresponding error message:

            1   usage: auditlog . . .

                Invalid command syntax.

            1   invalid max_size value specified
                Audit Log File Size Must be >=# (512 byte)blocks

            1   invalid high water mark specified
                Audit Buffer High Water Mark Must Be >= 0 or <=current
                buffer size in bytes bytes


                          Copyright 1994 Novell, Inc.               Page 4













       auditlog(1M)                                            auditlog(1M)


             1   cannot open/access path or device path/device name

                 An invalid argument has been supplied to either the -P, -A
                 or -n option.

             1   pathname component too long

             1   event log node must be < 8 characters

             1   event log node may not contain a slash

             1   full pathname not specified

             1   "program" is not a regular file

             1   "program" is not an executable file

             3   system service not installed

                 The audit package is not installed.

             4   Permission denied

                 Failure because of insufficient privilege.

             6   auditbuf() failed ABUFGET, errno= error

                 A failure occurred while retrieving the audit buffer
                 attributes.

             7   auditbuf() failed ABUFSET, errno= error

                 A failure occurred while setting the audit buffer
                 attributes.

             8   auditlog() failed ALOGGET, errno= error

                 A failure occurred while retrieving the audit log
                 attributes.

             9   auditlog() failed ALOGSET, errno= error

                 A failure occurred while setting the audit log attributes.





                           Copyright 1994 Novell, Inc.               Page 5













      auditlog(1M)                                            auditlog(1M)


            12  auditctl() failed ASTATUS, errno= error

                A failure occurred while retrieving the auditing status.

            24  unable to allocate space

            24  argvtostr() failed

            34  "-option" option not allowed while auditing is enabled

            The following warning or informational messages may be
            printed:

            max_size value applies only to regular files

                 This warning message is printed if you attempt to use the
                 -x option and the log file is a character special file.

            cannot access /etc/default/audit

                 The system is unable to open the file that contains
                 information about the default behavior of the auditing
                 subsystem.

      file


            check the value of the default parameter in the /etc/default/audit

                 The value of the default parameter in the
                 /etc/default/audit file did not pass validation tests.

      FILES
            /etc/default/audit
            /etc/conf/mtune.d/audit
            /etc/master.d/audit
            /var/audit/MMDD###

      REFERENCES
            auditoff(1M), auditon(1M), auditrpt(1M), crash(1M), defadm(1M)








                          Copyright 1994 Novell, Inc.               Page 6








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026