catauditlog

Use the catauditlog command to display the in-memory contents of the audit log.

Syntax

catauditlog [ -nohdr ] [ -delimdelimiter ] [ -firstnumber_of_entries_to_return ]

Parameters

-nohdr: (Optional) By default, headings are displayed for each column of data in a concise style view, and for each item of data in a detailed style view. The -nohdr parameter suppresses the display of these headings.
Note: If there is no data to be displayed, headings are not displayed.
-delimdelimiter: (Optional) By default in a concise view, all columns of data are space-separated. The width of each column is set to the maximum width of each item of data. In a detailed view, each item of data has its own row, and if the headers are displayed, the data is separated from the header by a space. The -delim parameter overrides this behavior. Valid input for the -delim parameter is a one-byte character. If you enter -delim : on the command line, the colon character (:) separates all items of data in a concise view; for example, the spacing of columns does not occur. In a detailed view, the data is separated from its header by the specified delimiter.
-firstnumber_of_entries_to_return: (Optional) Specifies the number of most recent entries to display.

Description

This command lists a specified number of the most recently audited commands.

Use this command to display the in-memory audit log. Use the dumpauditlog command to manually dump the contents of the in-memory audit log to a file on the current configuration node and clear the contents of the in-memory audit log

The in-memory portion of the audit log holds approximately 1 MB of audit information. Depending on the command text size and the number of parameters, this equals 1 MB of records or approximately 6000 commands.

Once the in-memory audit log reaches maximum capacity, the log is written to a local file on the configuration node in the /dumps/audit directory. The catauditlog command only displays the in-memory part of the audit log; the on-disk part of the audit log is in readable text format and does not require any special command to decode it.

The in-memory log entries are reset and cleared automatically, ready to accumulate new commands. The on-disk portion of the audit log can then be analyzed at a later date.

The lsdumps command with -prefix parameter (and the /dumps/audit file) can be used to list the files on the disk.

As commands are executed, they are recorded in the in-memory audit log. When the in-memory audit log becomes full, it is automatically dumped to an audit log file and the in-memory audit log is cleared.

An invocation example

This example lists the five most recent audit log entries.

catauditlog -delim : -first 5

The resulting output:

audit_seq_no timestamp    cluster_user challenge  source_panel target_panel ssh_ip_address result res_obj_id action_cmd
0            160313152255 superuser               7830619-2    7830619-2                   0      0          satask restartservice -service tomcat
1            160313152303 superuser               01-2         01-1         9.174.187.11   0      0          satask chnodeled -on 01-1
2            160313152312 superuser               01-1         01-2         9.174.187.11   0      0          satask chnodeled -on 01-2
3            160313152314 superuser               01-1         01-1         9.174.187.11   0      0          satask chnodeled -on
4            160313152316 superuser                                         9.174.187.11   0      0          svctask chenclosure -managed yes 1
5            160313152349 superuser                                         9.174.187.11   0      0          svctask mkmdiskgrp -ext 256
6            160313152352 superuser                                         9.174.187.11   0      0          svctask mkarray -level raid5 -drive 3:4:5 0