[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 3
lsaudrec Command
Purpose
Lists records from the audit log.
Syntax
lsaudrec [-l] [-a | -n node_name1[,node_name2]...] [-S subsystem_name]
[-s selection_string] [-x] [-h] [field_name1 [field_name2...]]
Description
The lsaudrec command is used to list records in the audit log.
The audit log is a facility for recording information about the system's
operation. It can include information about the normal operation of the system
as well as failures and other errors. It is meant to augment the error log functionality by conveying the
relationship of the error relative to other system activities. All detailed
information about failures is still written to the AIX
error log.
Records are created in the audit log by subsystems that have been instrumented
to do that. For example, the event response subsystem runs in the background
to monitor administrator-defined conditions and then invokes one or more actions
when a condition becomes true. Because this subsystem runs in the background,
it is difficult for the operator or administrator to understand the total
set of events that occurred and the results of any actions that were taken
in response to an event. Because the event response subsystem records its activity
in the audit log, the administrator can easily view its activity as well as
that of other subsystems using this command.
Each record in the audit log contains named fields. Each field contains
a value that provides information about the situation corresponding to the
record. For example, the field named Time indicates the time at which
the situation occurred. Each record has a set of common fields and a set of
subsystem-specific fields. The common fields are present in every record in
the audit log. The subsystem-specific fields vary from record to record.
Their names are only significant when used with a subsystem name because they
may not be unique across all subsystems. Each record is derived from a template
that defines which subsystem-specific fields are present in the record and
defines a format string that is used to generate a message describing the situation.
The format string may use record fields as inserts. A subsystem typically
has many templates.
The field names can be used as variables in a selection
string to choose which records are displayed. A selection string is
an expression that is made up of field names, constants, and operators. The
syntax of a selection string is similar to an expression in the C programming
language or the SQL "where" clause. The selection string is matched against
each record using the referenced fields of each record to perform the match.
Any records that match are displayed. The selection string is specified
with the -s flag. For information on how to specify selection strings, see RSCT Guide and Reference.
You can also specify field names as parameters to this command to choose
which fields are displayed and the order in which they are displayed. The
common field names are:
- Time
- Specifies the time when the situation occurred that the record corresponds
to. The value is a 64-bit integer and represents the number of microseconds
since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants below
for specifying the time in more user-friendly formats.
- Subsystem
- Specifies the subsystem that generated the record. This is a string.
- Category
- Indicates the importance of the situation corresponding to the audit
record, as determined by the subsystem that generated the record. The valid
values are: 0 (informational) and 1 (error).
- SequenceNumber
- Specifies the unique 64-bit integer that is assigned to the record.
No other record in the audit log will have the same sequence number.
- TemplateId
- Specifies the subsystem-dependent identifier that is assigned to records
that have the same content and format string. This value is a 32-bit unsigned
integer.
- NodeName
- Specifies the name of the node from which the record was obtained. This
field name cannot be used in a selection string.
In addition to the constants in expressions that are described in RSCT Guide and Reference, you can
use the following syntax for dates and times with this command:
- #mmddhhmmyyyy
- This format consists of a sequence of decimal characters that are interpreted
according to the pattern shown. The fields in the pattern are, from left
to right: mm = month, dd = day, hh = hour, mm = minutes, yyyy = year. For example, #010523042002 corresponds
to January 5, 11:04 PM, 2002. The fields can be omitted from right to left.
If not present, the following defaults are used: year = the current year,
minutes = 0, hour = 0, day = 1, and month = the current month.
- #-mmddhhmmyyyy
- This format is similar to the previous one, but is relative to the current
time and date. For example, the value #-0001 corresponds to one
day ago and the value #-010001 corresponds to one month and one hour
ago. Fields can be omitted starting from the right and are replaced by 0.
The audit records considered for display and matched against the selection
string can be restricted to a specific subsystem by using the -S flag. If this flag is specified, the subsystem-specific
field names can be used in the selection string in addition to the common
field names.
The nodes from which audit log records are considered for display and matched
against the selection string can be restricted to a set of specific nodes
by using the -n flag. If this flag is specified, the search is limited to the set of nodes listed. Otherwise,
the search is performed for all nodes defined within the current management
scope, as determined by the CT_MANAGEMENT_SCOPE environment variable.
The audit records are displayed in a table. Field names specified as parameters
control which fields are displayed and the order in which they appear on
each line. By default, the columns displayed are: the date and time, the
subsystem name that generated the record, the severity of the situation,
and the subsystem-specific message that describes the situation. If the management
scope is not local, the node name is displayed in the first column.
Flags
- -l
- Indicates that long output should be produced. Long output includes
subsystem-specific fields that are not included in the formatted message text.
- -a
- Specifies that records from all nodes in the domain are to be displayed.
If both the -n and the -a flags are omitted, records from the local node only
are displayed.
- -n node_name1[,node_name2]...
- Specifies the list of nodes containing audit log records that will be
examined and displayed if they meet the other criteria, such as matching
the specified selection string. Node group names can also be specified, which
are expanded into a list of node names. If both the -n and the -a flags are
omitted, records from the local node only are displayed.
- -S subsystem_name
- Specifies a subsystem name. If this flag is present, only records identified by subsystem_name are
considered for display. The records displayed can be further restricted by
the -s flag.
If the subsystem name contains any spaces, it must be enclosed in single or
double quotation marks.
For backward compatibility, the subsystem name
can be specified using the -n flag only if the -a and the -S flags are not specified.
- -s selection_string
- Specifies a selection string. This string is evaluated against each
record in the audit log. All records that match the selection string will
be displayed. If the selection string contains any spaces, it must be enclosed
in single or double quotation marks. For information on how to specify selection
strings, see RSCT Guide and Reference.
The names of fields in the record can be used in the expression. If the -S flag is not
specified, only the names of common fields can be used. See the Description for a list of the common field names and their data types.
If the -S flag is specified, the name of any field for the specified subsystem as
well as the common field names can be used.
If this flag is omitted, the records that are
displayed will depend on the -S flag. If the -S flag is omitted, all records from the audit log are displayed. Otherwise,
all records for the subsystem identified by the -S flag are displayed.
- -x
- Excludes the header (suppresses header printing).
- -h
- Writes the command's usage statement to standard output.
Parameters
- field_name1 [field_name2...]
- Specifies one or more fields in the audit log records to be displayed.
The order of the field names on the command line corresponds to the order
in which they are displayed. If no field names are specified, Time, Subsystem, Severity, and Message are displayed by
default. If the management scope is not local, NodeName is displayed
as the first column by default. See the Description for
information about these and other fields.
Security
In order to list records from an audit log when the -S flag is omitted, a user must have read
access to the target resource class on each node from which records are to
be listed. When the -S flag is specified, the user must have read access to the audit log
resource corresponding to the subsystem identified by the -S flag on each node from which
records are to be listed.
Authorization is controlled by the RMC access control list (ACL) file that
exists on each node.
Exit Status
- 0
- The command ran successfully.
- 1
- An error occurred with RMC.
- 2
- An error occurred with a command-line interface script.
- 3
- An incorrect flag was entered on the command line.
- 4
- An incorrect parameter was entered on the command line.
- 5
- An error occurred that was based on incorrect command-line input.
Environment Variables
- CT_CONTACT
- Determines the system where the session with the resource monitoring
and control (RMC) daemon is established. When CT_CONTACT is set to a host
name or IP address, the command contacts the RMC daemon on the specified host.
If CT_CONTACT is not set, the command contacts the RMC daemon on the local
system where the command is being run. The target of the RMC daemon session
and the management scope determine the resource classes or resources that
can be affected by this command.
- CT_MANAGEMENT_SCOPE
- Determines (in conjunction with the -a and -n flags) the management
scope that is used for the session with the RMC daemon. The management scope
determines the set of possible target nodes where audit log records can be
listed. If the -a and -n flags are not specified, local scope is used. When
either of these flags is
specified, CT_MANAGEMENT_SCOPE is used to determine the management scope
directly. The valid values are:
- 0
- Specifies local scope.
- 1
- Specifies local scope.
- 2
- Specifies peer domain scope.
- 3
- Specifies management domain scope.
If this environment variable is not set, local scope is used.
Standard Output
When the -h flag is specified, this command's syntax usage is written to standard output.
Examples
- To list all records in the audit log on every node in the current management
scope as determined by the CT_MANAGMENT_SCOPE environment variable, enter:
lsaudrec
- To list all records that were logged in the last hour on every node in
the current management scope as determined by the CT_MANAGMENT_SCOPE environment
variable, enter:
lsaudrec -s "Time > #-000001"
- To list the time and sequence number of every record in the audit log
for the subsystem abc on nodes mynode and yournode,
enter:
lsaudrec -n mynode,yournode -S abc Time SequenceNumber
Location
- /usr/sbin/rsct/bin/lsaudrec
- Contains the lsaudrec command
Related Information
Commands: rmaudrec
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]