audisp(1M) audisp(1M)
NAME [Toc] [Back]
audisp - display the audit information as requested by the parameters
SYNOPSIS [Toc] [Back]
audisp [-u username] [-e eventname] [-c syscall] [-p] [-f] [-l ttyid]
[-t start_time] [-s stop_time] [-y2|-y4] audit_filename ...
DESCRIPTION [Toc] [Back]
audisp analyzes and displays the audit information contained in the
specified audit_filename audit files. The audit files are merged into
a single audit trail in time order. Although the entire audit trail
is analyzed, audisp allows you to limit the information displayed, by
specifying options. This command is restricted to privileged users.
Any unspecified option is interpreted as an unrestricted
specification. For example, a missing -u username option causes all
users' audit information in the audit trail to be displayed as long as
it satisfies all other specified options. By the same principle,
citing -t start_time without -s stop_time displays all audit
information beginning from start_time to the end of the file.
audisp without any options displays all recorded information from the
start of the audit file to the end.
Specifying an option without its required parameter results in error.
For example, specifying -e without any eventname returns with an error
message.
Options [Toc] [Back]
-u username Specify the login name (username) about whom to display
information. If no (username) is specified, audisp
displays audit information about all users in the audit
file.
-e eventname Display audit information of the specified event types.
The defined event types are admin, close, create,
delete, ipcclose, ipccreat, ipcdgram, ipcopen, login,
modaccess, moddac, open, process, readdac, removable,
uevent1, uevent2, and uevent3 (see audevent(1M)).
-c syscall Display audit information about the specified system
calls.
-p Display only successful operations that were recorded
in the audit trail. No user event that results in a
failure is displayed, even if username and eventname
are specified.
The -p and the -f options are mutually exclusive; do
not specify both on the same command line. To display
both successful and failed operations, omit both -p and
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
audisp(1M) audisp(1M)
-f options.
-f Display only failed operations that are recorded in the
audit trail.
-l ttyid Display all operations that occurred on the specified
terminal (ttyid) and were recorded in the audit trail.
By default, operations on all terminals are displayed.
-t start_time Display all audited operations occurring since
start_time, specified as mmddhhmm[yy] (month, day,
hour, minute, year). If the year is specified and is
greater than 70, it is interpreted as in the twentieth
century. Otherwise, it is interpreted as in the
twenty-first century. If no year is given, the current
year is used. No operation in the audit trail
occurring before the specified time is displayed.
-s stop_time Display all audited operations occurring before
stop_time, specified as mmddhhmm[yy] (month, day, hour,
minute, year). If the year is specified and is greater
than 70, it is interpreted as in the twentieth century.
Otherwise, it is interpreted as in the twenty-first
century. If no year is given, the current year is
used. No operation in the audit trail occurring after
the specified time is displayed.
-y2|-y4 The year is displayed as a two digit number (with -y2),
or as a four digit number (with -y4). The default is
-y2. Note that start_time and stop_time must still be
specified as two digit numbers.
AUTHOR [Toc] [Back]
audisp was developed by HP.
SEE ALSO [Toc] [Back]
audevent(1M), audit(4), audit(5).
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003 [ Back ] |
