[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 1

auditmerge Command

Purpose

Combines multiple audit trails into a single trail.

Syntax

/usr/sbin/auditmerge [ -q ] file [ file ... ]

Description

The auditmerge command combines multiple audit trail files from potentially multiple machines into a single audit trail file. For each file with records remaining, the record that has the oldest time stamp is added to the output. If a record is found that has a negative time change, an optional warning message may be emitted. Processing continues and any such records are output with their time values unmodified.

The auditmerge command also is capable of adding CPU ID values from the bin header to each output record. The CPU ID value is encoded in the bin header and trailer for bins with a version number more recent than AIX 4.3.1.

The -q flag is used to control outputting warning messages. When a record with a negative time change is first seen, a single warning message is output. That message contains the name of the file containing the record and the time difference. These messages are suppressed when the -q flag is given on the command line.

Flags

-q Used to control outputting warning messages.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Examples

  1. To merge two existing audit trails files from different hosts, enter:

    /usr/bin/auditmerge /audit/trail.calvin /audit/trail.hobbes > /audit/trail.merge
  2. To merge two existing data files which were preselected for different user names, enter:

    /usr/bin/auditmerge /audit/trail.jim /audit/trail.julie > /audit/trail.both
  3. To merge two data files without producing warnings about incorrect times, enter:

    /usr/bin/auditmerge -q /audit/jumbled.1 /audit/jumbled.2 > /audit/jumbled.output

Files

/etc/security/audit/hosts Contains the CPU ID to hostname mappings.

Related Information

The auditpr command, auditstream command, auditselect command.

The auditread subroutine, getaudithostattr subroutine.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]