auditdp.1m (2011 03)
a
auditdp(1M) auditdp(1M)
relative to the current directory. See audit_hpux_raw(5) for more information
about the DPMS service module for raw audit data.
-s filter_string Selectively process audit data based on the filter expression specified in the
filter_string . The filter string is typically in the form as follows:
({
+|-}attribute operator value
;)+
where:
( )+ means one or more occurrences of the pattern that is in the parentheses.
See audit_dpms_filter (4) for more details about the supported attributes, operators,
and types of values. You can also write a filter string in a more complex form, as
long as the string is supported by the filter file. Only the audit data matching the
filtering criteria will be included in the target output.
The
-s and -S options cannot both be specified. If neither
-s nor -S is specified,
all data from the input stream is processed.
Security Restrictions
This command is restricted to users possessing the (
hpux.security.audit.read, *
) authorization.
See authadm (1M).
RETURN VALUE
The
auditdp command returns 0 for success and non-zero for errors.
EXAMPLES
1. Read raw data and write to stdout using the
audisp display format (see audisp (1M)).
auditdp -r /var/.audit/audit_trail
2. Read data from two raw audit trails and write the combined/sorted data to stdout using the
audisp
display format (see audisp (1M)).
auditdp -r /var/.audit/audit_trail /var/.audit/audit_trail2
3. Read raw data from audit_trail and write portable data to ./portable
.
auditdp -r /var/.audit/audit_trail -P portable
4. Read portable data and display only the last four events in portable format.
auditdp -p portable -n -4 -P
5. Read portable data from stdin and write portable data to ./portable2
.
cat portable | auditdp -p -P portable2
6. Read portable data from multiple files and write the combined/sorted portable data to another file.
auditdp -p portable1 portable2 portable3 -P portable
7. Read and then write portable data, saving only the login events.
auditdp -p portable -P portable2 -s "+event=login"
8. Extract exec events from a particular session:
auditdp -r /var/.audit/audit_trail -s "+sid=1234" -P | \
auditdp -p -s "+event=exec"
9. The following command is the same as the above command:
auditdp -r /var/.audit/audit_trail -s "+sid=1234; +event=exec"
10. Enable the debug option for read and the silent and sync options for write.
auditdp -p portable -P portable2 -o debug -O "sync silent"
auditdp -p portable -P portable2 -o debug -O sync -O silent
11. Write only those events specified in the filter configuration file, filter.
auditdp -p portable -P portable2 -S filter
12. Write audit data using a specified DPMS service module and data format.
HP-UX 11i Version 3: March 2011 − 3 − Hewlett-Packard Company 3