Removes records from the audit log.
rmaudrec [-a │ -n node_name1[,node_name2]...] [-S subsystem_name]
-s selection_string [-h] [-V]
The rmaudrec command is used to delete records in the audit log. The audit log is a facility for recording information about the system's operation. It can include information about the normal operation of the system as well as failures and other errors. It augments the error log functionality by conveying the relationship of the error relative to other system activities. All detailed information about failures is still written to the AIX® error log.
Records are created in the audit log by subsystems that have been instrumented to do that. For example, the event response subsystem runs in the background to monitor administrator-defined conditions and then invokes one or more actions when a condition becomes true. Because this subsystem runs in the background, it is difficult for the operator or administrator to understand the total set of events that occurred and the results of any actions that were taken in response to an event. Because the event response subsystem records its activity in the audit log, the administrator can easily view its activity as well as that of other subsystems. In addition, records may sometimes need to be removed explicitly, which can be done using this command.
Each record in the audit log contains named fields. Each field contains a value that provides information about the situation corresponding to the record. For example, the field named Time indicates the time at which the situation occurred. Each record has a set of common fields and a set of subsystem-specific fields. The common fields are present in every record in the audit log. The subsystem-specific fields vary from record to record. Their names are only significant when used with a subsystem name because they may not be unique across all subsystems. Each record is derived from a template that defines which subsystem-specific fields are present in the record and defines a format string that is used to generate a message describing the situation. The format string may use record fields as inserts. A subsystem typically has many templates.
The field names can be used as variables in a selection string to choose which records are deleted. The selection string is matched against each record using the referenced fields of each record to perform the match. Any records that match will be removed. The selection string is specified with the -s flag.
A selection string is an expression composed of field names, constants, and operators. The syntax of a selection string is very similar to an expression in the C programming language. For information on how to specify selection strings, see the Administering RSCT guide.
Field | Description |
---|---|
Time | Specifies the time when the situation occurred that the record corresponds to. The value is a 64-bit integer and represents the number of microseconds since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants below for specifying the time in more user-friendly formats. |
Subsystem | Specifies the subsystem that generated the record. This is a string. |
Category | Indicates the importance of the situation corresponding to the audit record, as determined by the subsystem that generated the record. The valid values are: 0 (informational) and 1 (error). |
SequenceNumber | Specifies the unique 64-bit integer that is assigned to the record. No other record in the audit log will have the same sequence number. |
TemplateId | Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer. |
NodeName | Specifies the name of the node from which the record was obtained. This field name cannot be used in a selection string. |
The audit records considered for deletion and matched against the selection string can be restricted to a specific subsystem by using the -S flag. If this flag is specified, the subsystem-specific field names can be used in the selection string in addition to the common field names.
The nodes from which audit log records are considered for deletion can be restricted to a set of specific nodes by using the -n flag. If this flag is specified, the search will be limited to the set of nodes listed. Otherwise, the search will be performed for all nodes defined within the current management scope as determined by the CT_MANAGEMENT_SCOPE environment variable.
It is advisable to first use the lsaudrec command with the same -s and -n flag values to list the records that will be deleted. This minimizes the possibility of the selection string matching more records than intended.
For backward compatibility, the subsystem name can be specified using the -n flag only if the -a and the -S flags are not specified.
The names of fields within the record can be used in the expression. If the -S flag is not specified, only the names of common fields can be used. See the Description for a list of the common field names and their data types. If the -S flag is specified, the name of any field for the specified subsystem as well as the common field names can be used.
If this flag is not specified, no records will be removed from the audit log.
In order to remove records from an audit log when the -S flag is omitted, a user must have write access to the target resource class on each node from which records are to be removed. When the -S flag is specified, the user must have write access to the audit log resource corresponding to the subsystem identified by the -S flag on each node from which records are to be removed.
Authorization is controlled by the RMC access control list (ACL) file that exists on each node.
If this environment variable is not set, local scope is used.
This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX.
When the -h flag is specified, this command's usage statement is written to standard output.
If the -V flag is specified and the command completes successfully, a message indicating the number of records that were deleted will be written to standard error.
rmaudrec -s "Time > 0"
or rmaudrec -s "SequenceNumber >= 0"
rmaudrec -s "Time < #-0007"
rmaudrec -S abc -s "Time < #-0001" -n mynode,yournode