auditlog(1M) auditlog(1M)
NAME
auditlog - display or set audit log file attributes
SYNOPSIS
auditlog [-P path][-p node] [-v high_water] [-x max_size]
[-s | -d | -A next_path [-a next_node] [-n pgm]
| -a next_node [-n pgm]]
DESCRIPTION
The auditlog shell level command allows the administrator with
the appropriate privileges to display and change audit log
file attributes. The privileges required are audit and
setplevel.
The log file attributes that may be displayed and modified are
the path to the event log file, a node name for the event log
file, the value for the high water mark of the audit
buffer(s), the maximum size of the event log file, the action
taken when event log file is full, the next event log to be
used, a node name for the next event log file and the program
to be run when a log switch occurs. Additionally, the current
status of auditing and the action to be taken after an audit
error occurs are displayed. While auditing is enabled,
execution of this command will result in an audit record being
written to the event log file via the auditdmp system call.
Without any options or arguments, auditlog will display the
following information (Note: the default values are displayed
first):
Current Status of Auditing:OFF| ON
Current Event Log: /var/audit/MMDD###| [path]MMDD###[node]
Current Audit Buffer High Water Mark:ADT_BSIZE bytes| high_water bytes
Current Maximum File Size Setting:none| max_size blocks
Action To Be Taken Upon Full Event Log:auditing disabled|system shutdown|log switch
Action To Be Taken Upon Error:auditing disabled|system shutdown
Next Event Log To Be Used:none| [next_path]MMDD###[next_node]
Program to Run When Event Log Is Full:none| pgm
The system reverts to the default values when auditing is
stopped and subsequently restarted.
The auditlog command has the following options:
-P path The -P option specifies the absolute pathname
to the primary event log. If the path argument
is not a full pathname to an existing directory
Copyright 1994 Novell, Inc. Page 1
auditlog(1M) auditlog(1M)
or character special file, an error message is
printed (see DIAGNOSTICS). The -P option
cannot be specified while auditing is enabled.
If the argument to -P is a valid directory, the
next invocation of auditon will create a
regular file in the directory path, with a name
that includes the current month and day,
followed by a three digit sequence number (for
example, 1225001).
The valid range of sequence numbers is 001 to
999, and the default event log file to be used
is the regular file /var/audit/MMDD###.
-p node The -p option allows you to append an
additional seven characters to the system
generated event log file name. The -p option
cannot be specified while auditing is enabled,
and it is ignored if the event log is a
character special file. For example, the
command
auditlog -p abcdefg
creates the audit log file
/var/audit/MMDD###abcdefg. If the node is
larger than seven characters or if it contains
a slash, an error message is displayed (see
DIAGNOSTICS).
-v high_water The -v option specifies the high_water mark of
the audit buffer(s). The default setting is
equal to the audit buffer size (ADT_BSIZE).
The high_water mark must be either zero (0) or
a positive integer less than or equal to the
size of the audit buffer (ADT_BSIZE). If the
value is not valid, an error message is
displayed (see DIAGNOSTICS). The high_water
mark can be set while auditing is disabled or
can be set dynamically while auditing is
enabled to vary the frequency at which records
are written to the audit log file. A setting
of zero forces all audit records to be written
directly to the audit log file. When used with
the -w of auditrpt, this allows the
administrator to monitor events as they occur.
Copyright 1994 Novell, Inc. Page 2
auditlog(1M) auditlog(1M)
-x max_size The -x option specifies the maximum file size,
in 512 byte blocks, for all event logs that are
regular files. If this option is used with
event logs that are not regular files, auditlog
prints a warning message (see DIAGNOSTICS) and
ignores the option.
max_size must be greater than or equal to the
size of the audit buffer tunable parameter
ADT_BSIZE. If the value of max_size is zero,
the size of the event log file is bounded by
the amount of available free space on the file
system. The default value of none implies a
max_size setting of zero.
-s The -s option specifies that the system will be
shut down when the event log is full. An event
log file is considered full when either a
regular file log reaches max_size, if
specified, or the file system that the log
resides in runs out of space, or a character
special file log (for example, tape) cannot
hold any more data. If this action is chosen
and the event log file becomes full, the system
will be shut down immediately.
-d The -d option specifies that auditing will be
disabled when the event log becomes full. An
event log file is considered full when either a
regular file log reaches max_size, if
specified, or the file system that the log
resides in runs out of space, or a character
special file log (for example, tape) cannot
hold any more data.
-A next_path The -A option indicates that a log switch is to
occur when the event log file becomes full and
specifies the absolute pathname to the
alternate event log. An event log file is
considered full when either a regular file log
reaches max_size, if specified, or the file
system that the log resides in runs out of
space, or a character special file log (for
example, tape) cannot hold any more data. If
the next_path argument is not a full pathname
to an existing directory or character special
Copyright 1994 Novell, Inc. Page 3
auditlog(1M) auditlog(1M)
device, an error message is printed (see
DIAGNOSTICS).
When the log full condition is met, and
next_path is a valid directory, the alternate
log file is created relative to next_path. The
filename format is the current month and day,
followed by a three digit sequence number (for
example, 1231002).
-a next_node The -a option allows you to append an
additional seven characters to the system
generated alternate event log file name. For
example, the command
auditlog -a abcdefg
will create the file /var/audit/MMDD###abcdefg
when a log switch occurs.
If the next_node is larger than seven
characters or if it contains a slash, an error
message is displayed (see DIAGNOSTICS). If the
alternate log file is a character special file,
this option is ignored.
-n pgm The -n option specifies either a shell file or
binary executable (pgm) that will be run when a
log switch occurs. The -n option may be used
only if an alternate log is specified. The
program will be invoked by init.
DIAGNOSTICS
If successful, the auditlog command exits with a value of
zero. If there are errors, it exits with one of the following
values and prints the corresponding error message:
1 usage: auditlog . . .
Invalid command syntax.
1 invalid max_size value specified
Audit Log File Size Must be >=# (512 byte)blocks
1 invalid high water mark specified
Audit Buffer High Water Mark Must Be >= 0 or <=current
buffer size in bytes bytes
Copyright 1994 Novell, Inc. Page 4
auditlog(1M) auditlog(1M)
1 cannot open/access path or device path/device name
An invalid argument has been supplied to either the -P, -A
or -n option.
1 pathname component too long
1 event log node must be < 8 characters
1 event log node may not contain a slash
1 full pathname not specified
1 "program" is not a regular file
1 "program" is not an executable file
3 system service not installed
The audit package is not installed.
4 Permission denied
Failure because of insufficient privilege.
6 auditbuf() failed ABUFGET, errno= error
A failure occurred while retrieving the audit buffer
attributes.
7 auditbuf() failed ABUFSET, errno= error
A failure occurred while setting the audit buffer
attributes.
8 auditlog() failed ALOGGET, errno= error
A failure occurred while retrieving the audit log
attributes.
9 auditlog() failed ALOGSET, errno= error
A failure occurred while setting the audit log attributes.
Copyright 1994 Novell, Inc. Page 5
auditlog(1M) auditlog(1M)
12 auditctl() failed ASTATUS, errno= error
A failure occurred while retrieving the auditing status.
24 unable to allocate space
24 argvtostr() failed
34 "-option" option not allowed while auditing is enabled
The following warning or informational messages may be
printed:
max_size value applies only to regular files
This warning message is printed if you attempt to use the
-x option and the log file is a character special file.
cannot access /etc/default/audit
The system is unable to open the file that contains
information about the default behavior of the auditing
subsystem.
file
check the value of the default parameter in the /etc/default/audit
The value of the default parameter in the
/etc/default/audit file did not pass validation tests.
FILES
/etc/default/audit
/etc/conf/mtune.d/audit
/etc/master.d/audit
/var/audit/MMDD###
REFERENCES
auditoff(1M), auditon(1M), auditrpt(1M), crash(1M), defadm(1M)
Copyright 1994 Novell, Inc. Page 6