lsaudrec Command

Purpose

Lists records from the audit log.

Syntax

lsaudrec [-l] [-a-n node_name1[,node_name2]...] [-S subsystem_name]
[-s selection_string] [-x] [-h] [ field_name1 [field_name2...] ]

Description

The lsaudrec command is used to list records in the audit log. The audit log is a facility for recording information about the system's operation. It can include information about the normal operation of the system as well as failures and other errors. It augments the error log functionality by conveying the relationship of the error relative to other system activities. All detailed information about failures is still written to the AIX® error log.

Records are created in the audit log by subsystems that have been instrumented to do that. For example, the event response subsystem runs in the background to monitor administrator-defined conditions and then invokes one or more actions when a condition becomes true. Because this subsystem runs in the background, it is difficult for the operator or administrator to understand the total set of events that occurred and the results of any actions that were taken in response to an event. Because the event response subsystem records its activity in the audit log, the administrator can easily view its activity as well as that of other subsystems using this command.

Each record in the audit log contains named fields. Each field contains a value that provides information about the situation corresponding to the record. For example, the field named Time indicates the time at which the situation occurred. Each record has a set of common fields and a set of subsystem-specific fields. The common fields are present in every record in the audit log. The subsystem-specific fields vary from record to record. Their names are only significant when used with a subsystem name because they may not be unique across all subsystems. Each record is derived from a template that defines which subsystem-specific fields are present in the record and defines a format string that is used to generate a message describing the situation. The format string may use record fields as inserts. A subsystem typically has many templates.

The field names can be used as variables in a selection string to choose which records are displayed. A selection string is an expression that is made up of field names, constants, and operators. The syntax of a selection string is similar to an expression in the C programming language or the SQL "where" clause. The selection string is matched against each record using the referenced fields of each record to perform the match. Any records that match are displayed. The selection string is specified with the -s flag. For information on how to specify selection strings, see the Administering RSCT guide.

You can also specify field names as parameters to this command to choose which fields are displayed and the order in which they are displayed. The common field names are:
Field Description
Time The time when the situation occurred that the record corresponds to. The value is a 64-bit integer and represents the number of microseconds since UNIX Epoch (00:00:00 GMT January 1, 1970). See the constants below for specifying the time in more user-friendly formats.
Subsystem The subsystem that generated the record. This is a string.
Category Indicates the importance of the situation corresponding to the audit record, as determined by the subsystem that generated the record. The valid values are: 0 (informational) and 1 (error).
SequenceNumber The unique 64-bit integer that is assigned to the record. No other record in the audit log will have the same sequence number.
TemplateId The subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer.
NodeName The name of the node from which the record was obtained. This field name cannot be used in a selection string.
In addition to the constants in expressions, you can use the following syntax for dates and times with this command:
#mmddhhmmyyyy
This format consists of a sequence of decimal characters that are interpreted according to the pattern shown. The fields in the pattern are, from left to right: mm = month, dd = day, hh = hour, mm = minutes, yyyy = year. For example, #010523042004 corresponds to January 5, 11:04 PM, 2004. The fields can be omitted from right to left. If not present, the following defaults are used: year = the current year, minutes = 0, hour = 0, day = 1, and month = the current month.
#-mmddhhmmyyyy
This format is similar to the previous one, but is relative to the current time and date. For example, the value #-0001 corresponds to one day ago and the value #-010001 corresponds to one month and one hour ago. Fields can be omitted starting from the right and are replaced by 0.

The audit records considered for display and matched against the selection string can be restricted to a specific subsystem by using the -S flag. If this flag is specified, the subsystem-specific field names can be used in the selection string in addition to the common field names.

The nodes from which audit log records are considered for display and matched against the selection string can be restricted to a set of specific nodes by using the -n flag. If this flag is specified, the search is limited to the set of nodes listed. Otherwise, the search is performed for all nodes defined within the current management scope, as determined by the CT_MANAGEMENT_SCOPE environment variable.

The audit records are displayed in a table. Field names specified as parameters control which fields are displayed and the order in which they appear on each line. By default, the columns displayed are: the date and time, the subsystem name that generated the record, the severity of the situation, and the subsystem-specific message that describes the situation. If the management scope is not local, the node name is displayed in the first column.

Flags

-l
Indicates that long output should be produced. Long output includes subsystem-specific fields that are not included in the formatted message text.
-a
Specifies that records from all nodes in the domain are to be displayed. If both the -n and the -a flags are omitted, records from the local node only are displayed.
-n node_name1[,node_name2]...
Specifies the list of nodes containing audit log records that will be examined and displayed if they meet the other criteria, such as matching the specified selection string. Node group names can also be specified, which are expanded into a list of node names. If both the -n and the -a flags are omitted, records from the local node only are displayed.
-S subsystem_name
Specifies a subsystem name. If this flag is present, only records identified by subsystem_name are considered for display. The records displayed can be further restricted by the -s flag. If the subsystem name contains any spaces, it must be enclosed in single or double quotation marks.

For backward compatibility, the subsystem name can be specified using the -n flag only if the -a and the -S flags are not specified.

-s selection_string
Specifies a selection string. This string is evaluated against each record in the audit log. All records that match the selection string will be displayed. If the selection string contains any spaces, it must be enclosed in single or double quotation marks. For information on how to specify selection strings, see the Administering RSCT guide.

The names of fields in the record can be used in the expression. If the -S flag is not specified, only the names of common fields can be used. See the Description for a list of the common field names and their data types. If the -S flag is specified, the name of any field for the specified subsystem as well as the common field names can be used.

If this flag is omitted, the records that are displayed will depend on the -S flag. If the -S flag is omitted, all records from the audit log are displayed. Otherwise, all records for the subsystem identified by the -S flag are displayed.

-x
Excludes the header (suppresses header printing).
-h
Writes the command's usage statement to standard output.

Parameters

field_name1 [field_name2...]
Specifies one or more fields in the audit log records to be displayed. The order of the field names on the command line corresponds to the order in which they are displayed. If no field names are specified, Time, Subsystem, Severity, and Message are displayed by default. If the management scope is not local, NodeName is displayed as the first column by default. See the Description for information about these and other fields.

Security

In order to list records from an audit log when the -S flag is omitted, you must have read access to the target resource class on each node from which records are to be listed. When the -S flag is specified, you must have read access to the audit log resource corresponding to the subsystem identified by the -S flag on each node from which records are to be listed.

Authorization is controlled by the RMC access control list (ACL) file that exists on each node.

Exit Status

0
The command ran successfully.
1
An error occurred with RMC.
2
An error occurred with a command-line interface script.
3
An incorrect flag was entered on the command line.
4
An incorrect parameter was entered on the command line.
5
An error occurred that was based on incorrect command-line input.

Environment Variables

CT_CONTACT
Determines the system where the session with the resource monitoring and control (RMC) daemon is established. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the resource classes or resources that can be affected by this command.
CT_IP_AUTHENT
When the CT_IP_AUTHENT environment variable exists, the RMC daemon uses IP-based network authentication to contact the RMC daemon on the system that is specified by the IP address to which the CT_CONTACT environment variable is set. CT_IP_AUTHENT only has meaning if CT_CONTACT is set to an IP address; it does not rely on the domain name system (DNS) service.
CT_MANAGEMENT_SCOPE
Determines (in conjunction with the -a and -n flags) the management scope that is used for the session with the RMC daemon. The management scope determines the set of possible target nodes where audit log records can be listed. If the -a and -n flags are not specified, local scope is used. When either of these flags is specified, CT_MANAGEMENT_SCOPE is used to determine the management scope directly. The valid values are:
0
Specifies local scope.
1
Specifies local scope.
2
Specifies peer domain scope.
3
Specifies management domain scope.

If this environment variable is not set, local scope is used.

Implementation Specifics

This command is part of the Reliable Scalable Cluster Technology (RSCT) fileset for AIX®.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output.

Examples

  1. To list all records in the audit log on every node in the current management scope as determined by the CT_MANAGMENT_SCOPE environment variable, enter:
    lsaudrec
  2. To list all records that were logged in the last hour on every node in the current management scope as determined by the CT_MANAGMENT_SCOPE environment variable, enter:
    lsaudrec -s "Time > #-000001"
  3. To list the time and sequence number of every record in the audit log for the subsystem abc on nodes mynode and yournode, enter:
    lsaudrec -n mynode,yournode -S abc Time SequenceNumber
  4. To list the records that are generated by the event-response resource manager (ERRM), enter:
    lsaudrec -SERRM
  5. To list the records that are related to a condition called Condition1, enter:
    lsaudrec -SERRM -s"ConditionName=='Condition1'"
  6. To list the records that are related to an event from Condition1, enter:
    lsaudrec -SERRM -s"ConditionName=='Condition1' && Etype==91"
  7. To list the records that are related to a rearm event from Condition1, enter:
    lsaudrec -SERRM -s"ConditionName=='Condition1' && Etype==92"
  8. To list the sensor resource manager records in the audit log on the local node, enter:
    lsaudrec -SSSRM
    The output will look like this:
     
    Time                 Subsystem   Category    Description
    11/10/05 21:52:32    SSRM        Error       The Command /SENSOR/sensor.ksh 1 
                                                 in Sensor SENSOR_NOUSER_1 execution fails.
    11/10/05 21:52:36    SSRM        Error       The Command /SENSOR/sensor.nocmd 1 in Sensor 
                                                 SENSOR_NOCMD_1 exits with error 127.
     
  9. To list, in long format, the sensor resource manager records in the audit log on the local node, enter:
    lsaudrec -l -SSSRM
    The output will look like this:
     
    Time        = 11/10/05 21:52:32 243097
    Subsystem   = SSRM
    Category    = Error
    Description = The Command /SENSOR/sensor.ksh 1 in Sensor SENSOR_NOUSER_1 execution fails.
    ErrorMsg    = 2645-202 The user name "guest" that was specified for running the command does not exist.
    
    Time        = 11/10/05 21:52:36 361726
    Subsystem   = SSRM
    Category    = Error
    Description = The Command /SENSOR/sensor.nocmd 1 in Sensor SENSOR_NOCMD_1 exits with error 127.
    StandardOut =
    StandardErr = ksh: /u/diane/drmc/scripts/SENSOR/sensor.nocmd:  not found
     
  10. To list error records only, enter:
    lsaudrec -s"Category=1"

Location

/usr/sbin/rsct/bin/lsaudrec