Combines multiple audit trails into a single trail.
/usr/sbin/auditmerge [ -q ] file [ file ... ]
The auditmerge command combines multiple audit trail files from potentially multiple machines into a single audit trail file. For each file with records remaining, the record that has the oldest time stamp is added to the output. If a record is found that has a negative time change, an optional warning message may be emitted. Processing continues and any such records are output with their time values unmodified.
The auditmerge command also is capable of adding CPU ID values from the bin header to each output record. The CPU ID value is encoded in the bin header and trailer for bins with a version number more recent than AIX 4.3.1.
The -q flag is used to control outputting warning messages. When a record with a negative time change is first seen, a single warning message is output. That message contains the name of the file containing the record and the time difference. These messages are suppressed when the -q flag is given on the command line.
-q | Used to control outputting warning messages. |
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
/usr/bin/auditmerge /audit/trail.calvin /audit/trail.hobbes > /audit/trail.merge
/usr/bin/auditmerge /audit/trail.jim /audit/trail.julie > /audit/trail.both
/usr/bin/auditmerge -q /audit/jumbled.1 /audit/jumbled.2 > /audit/jumbled.output
/etc/security/audit/hosts | Contains the CPU ID to hostname mappings. |
The auditpr command, auditstream command, auditselect command.
The auditread subroutine, getaudithostattr subroutine.