[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 4
rmaudrec Command
Purpose
Removes records from the audit log.
Syntax
rmaudrec [-a | -n node_name1[,node_name2]...] [-S subsystem_name]
-s selection_string [-h] [-V]
Description
The rmaudrec command is used to delete records in the audit log.
The audit log is a facility for recording information about the system's
operation. It can include information about the normal operation of the system
as well as failures and other errors. It is meant to augment the error log functionality by conveying the
relationship of the error relative to other system activities. All detailed
information about failures is still written to the AIX
error log.
Records are created in the audit log by subsystems that have been instrumented
to do that. For example, the event response subsystem runs in the background
to monitor administrator-defined conditions and then invokes one or more actions
when a condition becomes true. Because this subsystem runs in the background,
it is difficult for the operator or administrator to understand the total
set of events that occurred and the results of any actions that were taken
in response to an event. Because the event response subsystem records its activity
in the audit log, the administrator can easily view its activity as well as
that of other subsystems. In addition, records may sometimes need to be removed
explicitly, which can be done using this command.
Each record in the audit log contains named fields. Each field contains
a value that provides information about the situation corresponding to the
record. For example, the field named Time indicates the time at which
the situation occurred. Each record has a set of common fields and a set of
subsystem-specific fields. The common fields are present in every record in
the audit log. The subsystem-specific fields vary from record to record.
Their names are only significant when used with a subsystem name because they
may not be unique across all subsystems. Each record is derived from a template
that defines which subsystem-specific fields are present in the record and
defines a format string that is used to generate a message describing the situation.
The format string may use record fields as inserts. A subsystem typically
has many templates.
The field names can be used as variables in a selection
string to choose which records are deleted. The selection string is matched
against each record using the referenced fields of each record to perform
the match. Any records that match will be removed. The selection string is
specified with the -s flag.
A selection string is an expression composed of field names, constants
and operators. The syntax of a selection string is very similar to an expression
in the C programming language. For information on how to specify selection
strings, see RSCT Guide and Reference.
The common field names are:
- Time
- Specifies the time when the situation occurred that the record corresponds
to. The value is a 64-bit integer and represents the number of microseconds
since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants below
for specifying the time in more user-friendly formats.
- Subsystem
- Specifies the subsystem that generated the record. This is a string.
- Category
- Indicates the importance of the situation corresponding to the audit
record, as determined by the subsystem that generated the record. The valid
values are: 0 (informational) and 1 (error).
- SequenceNumber
- Specifies the unique 64-bit integer that is assigned to the record.
No other record in the audit log will have the same sequence number.
- TemplateId
- Specifies the subsystem-dependent identifier that is assigned to records
that have the same content and format string. This value is a 32-bit unsigned
integer.
- NodeName
- Specifies the name of the node from which the record was obtained. This
field name cannot be used in a selection string.
In addition to the constants in expressions that are described in RSCT Guide and Reference, you can
use the following syntax for dates and times with this command:
- #mmddhhmmyyyy
- This format consists of a sequence of decimal characters that are interpreted
according to the pattern shown. The fields in the pattern are, from left
to right: mm = month, dd = day, hh = hour, mm = minutes, yyyy = year. For example, #010523042002 corresponds
to January 5, 11:04 PM, 2002. The fields can be omitted from right to left.
If not present, the following defaults are used: year = the current year,
minutes = 0, hour = 0, day = 1, and month = the current month.
- #-mmddhhmmyyyy
- This format is similar to the previous one, but is relative to the current
time and date. For example, the value #-0001 corresponds to one
day ago and the value #-010001 corresponds to one month and one hour
ago. Fields can be omitted starting from the right and are replaced by 0.
The audit records considered for deletion and matched against the selection
string can be restricted to a specific subsystem by using the -S flag. If this flag is specified, the subsystem-specific
field names can be used in the selection string in addition to the common
field names.
The nodes from which audit log records are considered for deletion can
be restricted to a set of specific nodes by using the -n flag. If this flag is specified, the search will be limited to the
set of nodes listed. Otherwise, the search will be performed for all nodes
defined within the current management scope as determined by the CT_MANAGEMENT_SCOPE
environment variable.
It is advisable to first use the lsaudrec command with the same -s and -n flag values to list the records that will be deleted. This minimizes the
possibility of the selection string matching more records than intended.
Flags
- -a
- Specifies that records from all nodes in the domain are to be removed.
If both the -n and the -a flags are omitted, records from the local node only
are removed.
- -n node_name1[,node_name2]...
- Specifies the list of nodes containing audit log records that will be
examined and considered for deletion if they meet the other criteria, such
as matching the specified selection string. Node group names can also be
specified, which are expanded into a list of node names. If both the -n and the -a flags are omitted, records from the local node only will be deleted.
- -S subsystem_name
- Specifies a subsystem name. If this flag is present, only records identified by subsystem_name are
considered for deletion. The records to be deleted can be further restricted
by the -s flag.
If the subsystem name contains any spaces, it must be enclosed in single or
double quotation marks.
For backward compatibility, the subsystem name
can be specified using the -n flag only if the -a and the -S flags are not specified.
- -s selection string
- Specifies a selection string. This string is evaluated against each
record in the audit log. If the evaluation results in a non-zero result (TRUE), the record is removed from the audit log. If the selection string
contains any spaces, it must be enclosed within single or double quotation
marks. For information on how to specify selection strings, see RSCT Guide and Reference.
The names of fields within the record
can be used in the expression. If the -S flag is not specified, only the names of common
fields can be used. See the Description for a list of
the common field names and their data types. If the -S flag is specified, the name of any field
for the specified subsystem as well as the common field names can be used.
If this flag is
not specified, no records will be removed from the audit log.
- -h
- Writes the command's usage statement to standard output.
- -V
- Writes the command's verbose messages to standard error.
Parameters
- field_name1 [field_name2...]
- Specifies one or more fields in the audit log records to be displayed.
The order of the field names on the command line corresponds to the order
in which they are displayed. If no field names are specified, Time, Subsystem, Severity, and Message are displayed by
default. If the management scope is not local, NodeName is displayed
as the first column by default. See the Description for
information about these and other fields.
Security
In order to remove records from an audit log when the -S flag is omitted, a user
must have write access to the target resource class on each node from which
records are to be removed. When the -S flag is specified, the user must have write access
to the audit log resource corresponding to the subsystem identified by the -S flag on each
node from which records are to be removed.
Authorization is controlled by the RMC access control list (ACL) file that
exists on each node.
Exit Status
- 0
- The command ran successfully.
- 1
- An error occurred with RMC.
- 2
- An error occurred with a command-line interface script.
- 3
- An incorrect flag was entered on the command line.
- 4
- An incorrect parameter was entered on the command line.
- 5
- An error occurred that was based on incorrect command-line input.
Environment Variables
- CT_CONTACT
- Determines the system where the session with the resource monitoring
and control (RMC) daemon is established. When CT_CONTACT is set to a host
name or IP address, the command contacts the RMC daemon on the specified host.
If CT_CONTACT is not set, the command contacts the RMC daemon on the local
system where the command is being run. The target of the RMC daemon session
and the management scope determine the resource classes or resources that
can be affected by this command.
- CT_MANAGEMENT_SCOPE
- Determines (in conjunction with the -a and -n flags) the management
scope that is used for the session with the RMC daemon. The management scope
determines the set of possible target nodes where audit log records can be
deleted. If the -a and -n flags are not specified, local scope is used. When
either of these flags is
specified, CT_MANAGEMENT_SCOPE is used to determine the management scope
directly. The valid values are:
- 0
- Specifies local scope.
- 1
- Specifies local scope.
- 2
- Specifies peer domain scope.
- 3
- Specifies management domain scope.
If this environment variable is not set, local scope is used.
Standard Output
When the -h flag is specified, this command's usage statement is written to standard
output.
Standard Error
If the -V flag is specified and the command completes successfully,
a message indicating the number of records that were deleted will be written
to standard error.
Examples
- To remove all records from the audit log on every node in the management
scope defined by the CT_MANAGEMENT_SCOPE environment variable, enter:
rmaudrec -s "Time > 0"
or
rmaudrec -s "SequenceNumber >= 0"
- To remove all records more than a week old on every node in the management
scope defined by the CT_MANAGEMENT_SCOPE environment variable, enter:
rmaudrec -s "Time < #-0007"
- To remove all records that are more than a day old and created by the abc subsystem on nodes mynode and yournode, enter:
rmaudrec -S abc -s "Time < #-0001" -n mynode,yournode
Location
- /usr/sbin/rsct/bin/rmaudrec
- Contains the rmaudrec command
Related Information
Commands: lsaudrec
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]