Commands Reference, Volume 4

rmaudrec Command

Purpose

Removes records from the audit log.

Syntax

rmaudrec [-a | -n node_name1[,node_name2]...] [-S subsystem_name]
-s selection_string [-h] [-V]

Description

The rmaudrec command is used to delete records in the audit log.

The audit log is a facility for recording information about the system's operation. It can include information about the normal operation of the system as well as failures and other errors. It is meant to augment the error log functionality by conveying the relationship of the error relative to other system activities. All detailed information about failures is still written to the AIX error log.

Records are created in the audit log by subsystems that have been instrumented to do that. For example, the event response subsystem runs in the background to monitor administrator-defined conditions and then invokes one or more actions when a condition becomes true. Because this subsystem runs in the background, it is difficult for the operator or administrator to understand the total set of events that occurred and the results of any actions that were taken in response to an event. Because the event response subsystem records its activity in the audit log, the administrator can easily view its activity as well as that of other subsystems. In addition, records may sometimes need to be removed explicitly, which can be done using this command.

Each record in the audit log contains named fields. Each field contains a value that provides information about the situation corresponding to the record. For example, the field named Time indicates the time at which the situation occurred. Each record has a set of common fields and a set of subsystem-specific fields. The common fields are present in every record in the audit log. The subsystem-specific fields vary from record to record. Their names are only significant when used with a subsystem name because they may not be unique across all subsystems. Each record is derived from a template that defines which subsystem-specific fields are present in the record and defines a format string that is used to generate a message describing the situation. The format string may use record fields as inserts. A subsystem typically has many templates.

The field names can be used as variables in a selection string to choose which records are deleted. The selection string is matched against each record using the referenced fields of each record to perform the match. Any records that match will be removed. The selection string is specified with the -s flag.

A selection string is an expression composed of field names, constants and operators. The syntax of a selection string is very similar to an expression in the C programming language. For information on how to specify selection strings, see RSCT Guide and Reference.

The common field names are:

Time: Specifies the time when the situation occurred that the record corresponds to. The value is a 64-bit integer and represents the number of microseconds since Unix Epoch (00:00:00 GMT January 1, 1970). See the constants below for specifying the time in more user-friendly formats.
Subsystem: Specifies the subsystem that generated the record. This is a string.
Category: Indicates the importance of the situation corresponding to the audit record, as determined by the subsystem that generated the record. The valid values are: 0 (informational) and 1 (error).
SequenceNumber: Specifies the unique 64-bit integer that is assigned to the record. No other record in the audit log will have the same sequence number.
TemplateId: Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer.
NodeName: Specifies the name of the node from which the record was obtained. This field name cannot be used in a selection string.

In addition to the constants in expressions that are described in RSCT Guide and Reference, you can use the following syntax for dates and times with this command:

#mmddhhmmyyyy: This format consists of a sequence of decimal characters that are interpreted according to the pattern shown. The fields in the pattern are, from left to right: mm = month, dd = day, hh = hour, mm = minutes, yyyy = year. For example, #010523042002 corresponds to January 5, 11:04 PM, 2002. The fields can be omitted from right to left. If not present, the following defaults are used: year = the current year, minutes = 0, hour = 0, day = 1, and month = the current month.
#-mmddhhmmyyyy: This format is similar to the previous one, but is relative to the current time and date. For example, the value #-0001 corresponds to one day ago and the value #-010001 corresponds to one month and one hour ago. Fields can be omitted starting from the right and are replaced by 0.

The audit records considered for deletion and matched against the selection string can be restricted to a specific subsystem by using the -S flag. If this flag is specified, the subsystem-specific field names can be used in the selection string in addition to the common field names.

The nodes from which audit log records are considered for deletion can be restricted to a set of specific nodes by using the -n flag. If this flag is specified, the search will be limited to the set of nodes listed. Otherwise, the search will be performed for all nodes defined within the current management scope as determined by the CT_MANAGEMENT_SCOPE environment variable.

It is advisable to first use the lsaudrec command with the same -s and -n flag values to list the records that will be deleted. This minimizes the possibility of the selection string matching more records than intended.

Flags

-a

Specifies that records from all nodes in the domain are to be removed. If both the -n and the -a flags are omitted, records from the local node only are removed.

-n node_name1[,node_name2]...

Specifies the list of nodes containing audit log records that will be examined and considered for deletion if they meet the other criteria, such as matching the specified selection string. Node group names can also be specified, which are expanded into a list of node names. If both the -n and the -a flags are omitted, records from the local node only will be deleted.

-S subsystem_name

Specifies a subsystem name. If this flag is present, only records identified by subsystem_name are considered for deletion. The records to be deleted can be further restricted by the -s flag. If the subsystem name contains any spaces, it must be enclosed in single or double quotation marks.

For backward compatibility, the subsystem name can be specified using the -n flag only if the -a and the -S flags are not specified.

-s selection string

Specifies a selection string. This string is evaluated against each record in the audit log. If the evaluation results in a non-zero result (TRUE), the record is removed from the audit log. If the selection string contains any spaces, it must be enclosed within single or double quotation marks. For information on how to specify selection strings, see RSCT Guide and Reference.

The names of fields within the record can be used in the expression. If the -S flag is not specified, only the names of common fields can be used. See the Description for a list of the common field names and their data types. If the -S flag is specified, the name of any field for the specified subsystem as well as the common field names can be used.

If this flag is not specified, no records will be removed from the audit log.

-h

Writes the command's usage statement to standard output.

-V

Writes the command's verbose messages to standard error.

Parameters

field_name1 [field_name2...]: Specifies one or more fields in the audit log records to be displayed. The order of the field names on the command line corresponds to the order in which they are displayed. If no field names are specified, Time, Subsystem, Severity, and Message are displayed by default. If the management scope is not local, NodeName is displayed as the first column by default. See the Description for information about these and other fields.

Security

In order to remove records from an audit log when the -S flag is omitted, a user must have write access to the target resource class on each node from which records are to be removed. When the -S flag is specified, the user must have write access to the audit log resource corresponding to the subsystem identified by the -S flag on each node from which records are to be removed.

Authorization is controlled by the RMC access control list (ACL) file that exists on each node.

Exit Status

0: The command ran successfully.
1: An error occurred with RMC.
2: An error occurred with a command-line interface script.
3: An incorrect flag was entered on the command line.
4: An incorrect parameter was entered on the command line.
5: An error occurred that was based on incorrect command-line input.

Environment Variables

CT_CONTACT

Determines the system where the session with the resource monitoring and control (RMC) daemon is established. When CT_CONTACT is set to a host name or IP address, the command contacts the RMC daemon on the specified host. If CT_CONTACT is not set, the command contacts the RMC daemon on the local system where the command is being run. The target of the RMC daemon session and the management scope determine the resource classes or resources that can be affected by this command.

CT_MANAGEMENT_SCOPE

Determines (in conjunction with the -a and -n flags) the management scope that is used for the session with the RMC daemon. The management scope determines the set of possible target nodes where audit log records can be deleted. If the -a and -n flags are not specified, local scope is used. When either of these flags is specified, CT_MANAGEMENT_SCOPE is used to determine the management scope directly. The valid values are:

0: Specifies local scope.
1: Specifies local scope.
2: Specifies peer domain scope.
3: Specifies management domain scope.

If this environment variable is not set, local scope is used.

Standard Output

When the -h flag is specified, this command's usage statement is written to standard output.

Standard Error

If the -V flag is specified and the command completes successfully, a message indicating the number of records that were deleted will be written to standard error.

Examples

To remove all records from the audit log on every node in the management scope defined by the CT_MANAGEMENT_SCOPE environment variable, enter:
```
rmaudrec -s "Time > 0"
```
or
```
rmaudrec -s "SequenceNumber >= 0"
```
To remove all records more than a week old on every node in the management scope defined by the CT_MANAGEMENT_SCOPE environment variable, enter:
```
rmaudrec -s "Time < #-0007"
```
To remove all records that are more than a day old and created by the abc subsystem on nodes mynode and yournode, enter:
```
rmaudrec -S abc -s "Time < #-0001" -n mynode,yournode
```

Location

/usr/sbin/rsct/bin/rmaudrec: Contains the rmaudrec command

Related Information

Commands: lsaudrec