Commands Reference, Volume 4

rmaudrec Command

Syntax

rmaudrec [ -h ] [ -n "Subsystem Name" ] [ -s "Selection_String" ] [ -V ]

The rmaudrec command deletes records in the audit log. The audit log is a system-wide facility for recording information about the system's operation. It can include information about the normal operation of the system as well as failures and other errors. It is meant to augment error log functionality by conveying the relationship of the error relative to other system activities. All detailed information about failures is still written to the error log.

Records are created in the audit log by subsystems that have been instrumented to do that. For example, the Event Response subsystem runs in the background to monitor conditions defined by the administrator and then invokes one or more actions when a condition becomes true. Because this subsystem runs in the background, it is difficult for the operator or administrator to understand the total set of events that occurred and the results of any actions that were taken in response to an event. Because the Event Response subsystem records its activity in the audit log, the administrator can easily view Event Response subsystem activity as well as that of other subsystems. In addition, records may sometimes need to be removed explicitly, which can be done through this command.

Each record in the audit log contains named fields. Each field contains a value that provides information about the situation corresponding to the record. For example, the Time field indicates when the situation occurred. Each record has a set of common fields and a set of subsystem-specific fields. The common fields are present in every record in the audit log. The subsystem-specific fields vary from record to record. Their names are only significant when used with a subsystem name because they may not be unique across all subsystems. Each record is derived from a template that defines what subsystem-specific fields are present in the record and defines a format string that is used to generate a message describing the situation. The format string may use record fields as inserts. A subsystem typically has many templates.

The field names may be used as variables in a selection string to choose which records are deleted. The selection string is matched against each record by using the referenced fields of each record to perform the match. Any records that match are removed. The selection string is specified with the -s flag.

A selection string is an expression composed of field names, constants and operators. The syntax of a selection string is very similar to an expression in the C programming language.

The common field names are:

Time: Time when the situation to which the record corresponds occurred. The value is a 64-bit integer and represents the number of microseconds since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants in the following list to specify time in more user-friendly formats.
Subsystem: Identifies the subsystem that generated the record. It is a string.
Category: Identifies the category of the situation as determined by the subsystem that generated the audit log record. The category is represented as a 32-bit unsigned integer that may have the value of 0 (informational) or 1 (error).
SequenceNumber: Specifies the unique 64-bit integer that is assigned to the record. No other record in the audit log has the same sequence number.
TemplateId: Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer.

In addition to the constants in expressions that are described in the selection string reference, the following syntax for dates and times may be used with this command.

#mmddhhmmyyyy: This format consists of a sequence of decimal characters that are interpreted according to the pattern shown. The fields in the pattern are from left to right, mm=month, dd=day, hh=hour, mm=minutes, yyyy=year. For example "#010523042000" corresponding to January 5, 11:04 PM, 2000. The fields may be omitted from right to left. If not present, the following are used: year defaults to the current year, minutes default to 0, hour defaults to 0, day defaults to 1, and month defaults to the current month.
#-mmddhhmmyyyy
: This format is similar to the previous one but is relative to the current time and date. For example, the value #-0001 corresponds to one day ago and the value #-010001 corresponds to one month and one hour ago. Fields may be omitted starting from the right and are replaced by 0.

The audit records considered for deletion and matched against the selection string can be restricted to a specific subsystem by using the -n flag. If this flag is present, then the subsystem-specific field names can be used in the selection string as well as the common field names.

It is advisable to first use the lsaudrec command with the same -s flag value to list the records that are deleted. This minimizes the possibility of the selection string matching more records than intended.

If the -V flag is specified and the command is completed successfully, a message that indicates the number of records that were deleted is written to standard error.

Note: The following restrictions apply:

The command must be executed on the machine whose audit log is to have records removed.

Flags

-h	Writes help information about this script to standard out. No further processing is performed.
-n "Subsystem Name"	Specifies a subsystem name. If this option is present, then only records from the subsystem identified by "Subsystem Name" are considered for deletion. The records deleted may be further restricted by the -s flag. If the subsystem name contains any spaces, it must be enclosed within single or double quotation marks.
-s "Selection_String"	Specifies a Selection_String that is evaluated against each record in the audit log. This string is evaluated against each record in the audit log. If the evaluation results in a non-zero result (TRUE), then the record is removed from the audit log. If the Selection_String contains any spaces, it must be enclosed within single or double quotes. The names of fields within the record may be used in the expression. If the -n flag is not specified, then only the names of common fields may be used. See Description for a list of the common field names and their data types. If the -n flag is present, the name of any field for the specified subsystem as well as the common field names may be used. No records will be removed from the audit log if this flag is not present.
-V	Writes the verbose messages of the command to standard error.

Exit Status

0	Command has run successfully
1	Error occurred with the RMC subsystem
2	Error occurred in CLI (command-line interface) program
3	Bad flag on command line
4	Bad operand on command line
5	User error

Security

Only the root user may remove records from the audit log.

Examples

To remove all records in the audit log, type:

rmaudrec -s"Time>0"

rmaudrec -s"SequenceNumber>=0"

To remove all records more than a week old, type:
```
rmaudrec -s"Time <#-0007"
```
To remove all records more than a week old and created by the Abc subsystem, type:
```
rmaudrec -s"Subsystem==Abc" && "Time <#-0007"
```

Files

/usr/bin/rsct/bin/rmaudrec

Location of the rmaudrec command

Related Information

The lsaudrec command.