The auditrpt command will retrieve audit information from the current log file if auditing is enabled and no log files are specified on the command line. To retrieve audit information from one or more previous log files specify the log file names as command line arguments.
For example, to display all audit information for the user
in the log files,
enter the following command:
auditrpt -u boris /var/audit/0214001 /var/audit/0215001
It is not necessary for auditing to be enabled to process previous log files.
The auditing subsystem keeps sequence information in each log file.
If you specify a series of log files,
will check this sequence information to ensure
that all log files are in the correct order and that
no log files in a sequence are missing.
If there are any problems,
displays the following warning message and continues processing:
event log file(s) are not in sequence or missing
To minimize the size of the audit event log file,
the auditing subsystem records process context information
for new processes whenever the information changes, or
when an audit log full SWITCH condition occurs.
For example, a process can be audited for more than one event, so it
would be redundant to repeat all the process information in all the
audit records related to this process.
command reconstructs the process information for each audit record that
If log files are not in sequence or are missing,
may not find all the necessary information and the following warning
message is displayed:
credential information for Ppid is incomplete