Commands Reference, Volume 3

lsaudrec Command

Syntax

lsaudrec [ -h ] [ -n "Subsystem Name" ] [ -s "Selection_string" ] [ -x ] [ FieldName... ]

The lsaudrec command lists records in the audit log. The audit log is a system-wide facility for recording information about the system's operation. It can include information about the normal operation of the system as well as failures and other errors. It is meant to augment error log functionality by conveying the relationship of the error relative to other system activities. All detailed information about failures is still written to the error log.

Note: This command must be executed on the machine whose audit log is to be listed.

Records are created in the audit log by subsystems that have been instrumented to do that. For example, the Event Response subsystem runs in the background to monitor conditions defined by the administrator and then invokes one or more actions when a condition becomes true. Because this subsystem runs in the background, it is difficult for the operator or administrator to understand the total set of events that occurred and the results of any actions that were taken in response to an event. Because the Event Response subsystem records its activity in the audit log, the administrator can view Event Response subsystem activity as well as that of other subsystems through this command.

Each record in the audit log contains named fields. Each field contains a value that provides information about the situation corresponding to the record. For example, the Time field indicates when the situation occurred. Each record has a set of common fields and a set of subsystem-specific fields. The common fields are present in every record in the audit log. The subsystem-specific fields vary from record to record. Their names are only significant when used with a subsystem name because they may not be unique across all subsystems. Each record is derived from a template that defines what subsystem-specific fields are present in the record and defines a format string that is used to generate a message describing the situation. The format string may use record fields as inserts. A subsystem typically has many templates.

The field names may be used as variables in a selection string to choose which records are displayed. The selection string is matched against each record by using the referenced fields of each record to perform the match. Any records that match will be displayed. The selection string is specified with the -s flag.

A selection string is an expression composed of field names, constants and operators. The syntax of a selection string is very similar to an expression in the C programming language.

Field names may also be specified as operands to this command to choose which fields display and the order in which they display.

The common field names are:

Time: Time when the situation to which the record corresponds occurred. The value is a 64-bit integer and represents the number of microseconds since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants in the following list to specify time in more user-friendly formats.
Subsystem: Identifies the subsystem that generated the record. It is a string.
Category: Identifies the category of the situation as determined by the subsystem that generated the audit log record. The category is represented as a 32-bit unsigned integer that may have the value of 0 (informational) or 1 (error).
SequenceNumber: Specifies the unique 64-bit integer that is assigned to the record. No other record in the audit log has the same sequence number.
TemplateId: Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer.

In addition to the constants in expressions that are described in the selection string reference, the following syntax for dates and times may be used with this command.

#mmddhhmmyyyy: This format consists of a sequence of decimal characters that are interpreted according to the pattern shown. The fields in the pattern are from left to right, mm=month, dd=day, hh=hour, mm=minutes, yyyy=year. For example "#010523042000" corresponding to January 5, 11:04 PM, 2000. The fields may be omitted from right to left. If not present, the following are used: year defaults to the current year, minutes default to 0, hour defaults to 0, day defaults to 1, and month defaults to the current month.
#-mmddhhmmyyyy: This format is similar to the previous one but is relative to the current time and date. For example, the value #-0001 corresponds to one day ago and the value #-010001 corresponds to one month and one hour ago. Fields may be omitted starting from the right and are replaced by 0.

The audit records considered for display and matched against the selection string can be restricted to a specific subsystem by using the -n flag. If this flag is present, then the subsystem-specific field names may be used in the selection string as well as the common field names.

The audit records are displayed in tabular format. If any of the field names are specified as operands, they control the fields that are displayed and the order in which they appear on each line. By default, the columns displayed are: date and time, name of the subsystem that generated the record, severity of the situation, and the subsystem-specific message that describes the situation.

Parameters

FieldName

Identifies a field in the audit log records that is to be displayed. Multiple field names may be specified, and their order on the command line corresponds to the order in which they are displayed. If no field names are displayed, then Time, Subsystem, Category, and Message are displayed by default

Flags

-h	Writes help information about this script to standard out. No further processing is performed.
-n "Subsystem Name"	Specifies a subsystem name. If this option is present, then only records from the subsystem identified by "Subsystem Name" are considered for display. The records displayed can be further restricted by the -s flag. If the subsystem name contains any spaces, it must be enclosed within single or double quotation marks.
-s "Selection_String"	Specifies a Selection_String that is evaluated against each record in the audit log. All records that match the Selection_String are displayed. If the Selection_String contains any spaces, it must be enclosed within single or double quotes. The names of fields within the record may be used in the expression. If the -n flag is not specified, then only the names of common fields may be used. See Description for a list of the field names and their data types. If the -n flag is present, the name of any field for the specified subsystem as well as the common field names may be used. If this flag is omitted, the records that are displayed depend on the -n option. If the -n option is omitted, all records from the audit log are displayed. Otherwise, all records for the subsystem identified by the -n option are displayed.
-x	Suppresses header printing.

Exit Status

0	Command has run successfully
1	Error occurred with the RMC subsystem
2	Error occurred in CLI (command-line interface) program
3	Bad flag on command line
4	Bad operand on command line
5	User error

Security

All users may list records from the audit log.

Examples

To list all records in the audit log, type:
```
lsaudrec
```
To list all records that were logged in the last hour, type:
```
lsaudrec -s"Time>#000001"
```
To list the time and sequence number of every record in the audit log for the subsystem abc, type:
```
lsaudrec -s'Subsystem=="abc"' Time SequenceNumber
```

Files

/usr/bin/rsct/bin/lsaudrec

Location of the lsaudrec command

Related Information

The rmaudrec command.