The log file attributes that may be displayed and modified are
the path to the event log file,
a node name for the event log file,
the value for the high water mark of the audit buffer(s),
the maximum size of the event log file,
the action taken when event log file is full, the next event log to be used,
a node name for the next event log file
and the program to be run when a log switch occurs.
Additionally, the current status of auditing
and the action to be taken after an audit error occurs are displayed.
While auditing is enabled, execution of this command will result
in an audit record being written to the event log file
via the auditdmp system call.
Without any options or arguments, auditlog
will display the following information
(Note: the default values are displayed first):
Current Status of Auditing: OFF| ON
Current Event Log: /var/audit/MMDD###| [path]MMDD###[node]
Current Audit Buffer High Water Mark: ADT_BSIZE bytes| high_water bytes
Current Maximum File Size Setting: none| max_size blocks
Action To Be Taken Upon Full Event Log: auditing disabled|system shutdown|log switch
Action To Be Taken Upon Error: auditing disabled|system shutdown
Next Event Log To Be Used: none| [next_path]MMDD###[next_node]
Program to Run When Event Log Is Full: none| pgm
The system reverts to the default values when auditing is stopped and subsequently restarted.
The auditlog command has the following options:
If the argument to -P is a valid directory, the next invocation of auditon will create a regular file in the directory path, with a name that includes the current month and day, followed by a three digit sequence number (for example, 1225001).
The valid range of sequence numbers is 001 to 999, and the default event log file to be used is the regular file /var/audit/MMDD###.
auditlog -p abcdefg
creates the audit log file /var/audit/MMDD###abcdefg. If the node is larger than seven characters or if it contains a slash, an error message is displayed (see ``Diagnostics'').
max_size must be greater than or equal to the size of the audit buffer tunable parameter ADT_BSIZE. If the value of max_size is zero, the size of the event log file is bounded by the amount of available free space on the filesystem. The default value of none implies a max_size setting of zero.
When the log full condition is met, and next_path is a valid directory, the alternate log file is created relative to next_path. The filename format is the current month and day, followed by a three digit sequence number (for example, 1231002).
auditlog -a abcdefg
will create the file /var/audit/MMDD###abcdefg when a log switch occurs.
If the next_node is larger than seven characters or if it contains a slash, an error message is displayed (see ``Diagnostics''). If the alternate log file is a character special file, this option is ignored.
usage: auditlog . . .
Invalid command syntax.
invalid max_size value specified
Audit Log File Size Must be >=# (512 byte)blocks
invalid high water mark specified
Audit Buffer High Water Mark Must Be >= 0 or <=
current buffer size in bytes bytes
cannot open/access path or device
path/device name
An invalid argument has been supplied to one of the -P, -A or -n options.
pathname component too long
event log node must be < 8 characters
event log node may not contain a slash
full pathname not specified
is not a regular file
is not an executable file
system service not installed
The audit package is not installed.
Permission denied
Failure because of insufficient privilege.
auditbuf() failed ABUFGET, errno=
error
A failure occurred while retrieving the audit buffer attributes.
auditbuf() failed ABUFSET, errno=
error
A failure occurred while setting the audit buffer attributes.
auditlog() failed ALOGGET, errno=
error
A failure occurred while retrieving the audit log attributes.
auditlog() failed ALOGSET, errno=
error
A failure occurred while setting the audit log attributes.
auditctl() failed ASTATUS, errno=
error
A failure occurred while retrieving the auditing status.
unable to allocate space
argvtostr() failed
option not allowed while auditing is enabled
The following warning or informational messages may be printed:
max_size value applies only to regular files
cannot access /etc/default/audit
check the value of the
default parameter in the /etc/default/audit file
Preserving Log Options on Alternate Logs:
If you enable auditing with the
auditon(ADM)
command, you may also specify log file options and an alternate log
using the
auditlog(ADM)
command.
Currently, the auditlog command does not pass file size and
other options set on the original log file to the alternate log file.
The following example shows you how to create a script that will be
executed automatically on system startup and when an audit log switch occurs.
This script sets options on the alternate log file and notifies root
of the log switch.
Notification is important, so that the administrator can archive old
log files and prevent the file system used for audit logs from becoming full.
Do the following as root:
#!/bin/sh { date size=4000000 dir=/var/audit /usr/sbin/auditlog -x $size -A $dir -n /var/audit/switchlog /usr/bin/mailx -s "/var/audit/switchlog: NOTICE: check /var/audit/switched.log" root } >>/var/audit/switched.log 2>&1
The log size is given in blocks (about 2GB in this example), and the directory used is the default audit log directory. This can be adjusted as necessary. The diagnostic output of all commands (including the time of the switch) is written to the file /var/audit/switched.log, which can be checked by the administrator when the email sent by the script is received.
/usr/sbin/auditlog -x 4000000 -A /var/audit -n /var/audit/switchlog
chmod 755 /etc/rc1.d/S99switchlog
The /etc/rc1.d/S99switchlog script sets the audit log parameters as desired each time the system boots; since this includes running the var/audit/switchlog script on the next log switch, the desired audit log parameters will be set automatically on every successive log switch.