Use the catauditlog command to display the in-memory contents of the audit log.
This command lists a specified number of the most recently audited commands.
The in-memory portion of the audit log holds approximately 1 MB of audit information. Depending on the command text size and the number of parameters, this equals 1 MB records or approximately 6000 commands.
Once the in-memory audit log reaches maximum capacity, the log is written to a local file on the configuration node in the /dumps/audit directory. The catauditlog command only displays the in-memory part of the audit log; the on-disk part of the audit log is in readable text format and does not require any special command to decode it.
The in-memory log entries are reset and cleared automatically, ready to accumulate new commands. The on-disk portion of the audit log can then be analyzed at a later date.
The lsdumps command with -prefix/dumps/auditcan be used to list the files on the disk.
As commands are executed they are recorded in the in-memory audit log. When the in-memory audit log becomes full it is automatically dumped to an audit log file and the in-memory audit log is cleared.
Use the this command to display the in-memory audit log. Use the dumpauditlog command to manually dump the contents of the in-memory audit log to a file on the current configuration node and clear the contents of the in-memory audit log
This example lists the five most recent audit log entries.
catauditlog -delim : -first 5
The resulting output:
audit_seq_no:timestamp:cluster_user:ssh_ip_address:result:res_obj_id:action_cmd 35:091012114520:superuser:9.20.160.249:0::dumpauditlog 36:091012115150:superuser:9.20.160.249:0::chquorum -mdisk 45 3 37:091012115256:superuser:9.20.160.249:0::chvdisk -name vdisk_master 1 38:091012115302:superuser:9.20.160.249:0::chvdisk -name vdisk_aux 2 39:091012115328:superuser:9.20.160.249:0::chvdisk -name disk 3