|Main index||Section 1||Options|
The options are as follows:
|Select all records.|
|Select records that occurred after or on the given datetime.|
|Select records that occurred before the given datetime.|
|Select records matching the given audit classes specified as a comma separated list of audit flags. See audit_control(5) for a description of audit flags.|
Select records that occurred on a given date.
This option cannot be used with
|Select records with the given effective user ID or name.|
|Select records with the given effective group ID or name.|
|Select records with the given real group ID or name.|
|Select records having a subject token with matching ID, where ID is a process ID.|
|Select records with the given event name or number. This option can be used more then once to select records of multiple event types. See audit_event(5) for a description of audit event names and numbers.|
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
Regular expressions which are prefixed with a tilde
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
Since commas are used to delimit the regular expressions, a backslash (‘\’) character should be used to escape the comma if it is a part of the search pattern.
|Select records containing the given message queue ID.|
|pid||Select records containing the given process ID.|
|semid||Select records containing the given semaphore ID.|
|shmid||Select records containing the given shared memory ID.|
|Select records with the given real user ID or name.|
|Select records with the given audit ID.|
|Invert sense of matching, to select records that do not match.|
auditreduce -e root \ /var/audit/20031016184719.20031017122634
To select all setlogin(2) events from that log:
auditreduce -m AUE_SETLOGIN \ /var/audit/20031016184719.20031017122634
Output from the above command lines will typically be piped to a new trail file, or via standard output to the praudit(1) command.
Select all records containing a path token where the pathname contains /etc/master.passwd:
auditreduce -o file="/etc/master.passwd" \ /var/audit/20031016184719.20031017122634
Select all records containing path tokens, where the pathname is a TTY device:
auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \ /var/audit/20031016184719.20031017122634
Select all records containing path tokens, where the pathname is a TTY except for /dev/ttyp2:
auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \ /var/audit/20031016184719.20031017122634
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
|AUDITREDUCE (1)||January 24, 2004|
|Main index||Section 1||Options|
Please direct any comments about this manual page service to Ben Bullock.
|“||Like a classics radio station whose play list spans decades, Unix simultaneously exhibits its mixed and dated heritage. There's Clash-era graphics interfaces; Beatles-era two-letter command names; and systems programs (for example, ps) whose terse and obscure output was designed for slow teletypes; Bing Crosby-era command editing (# and @ are still the default line editing commands), and Scott Joplin-era core dumps.||”|
|— The Unix Haters' handbook|