HP-UX Reference (11i v2 03/08) - 1M System Administration Commands A-M (vol 3)
a
audisp(1M) audisp(1M)
NAME
audisp - display the audit information as requested by the parameters
SYNOPSIS
audisp [ -u username ][-e
eventname ][-c syscall ][-p ][-f ][
-l ttyid ][-t start_time ]
[
-s stop_time ][-y2
-y4 ] audit_filename ...
DESCRIPTION
audisp analyzes and displays the audit information contained in the specified audit_filename audit files.
The audit files are merged into a single audit trail in time order. Although the entire audit trail is
analyzed,
audisp allows you to limit the information displayed, by specifying options. This command is
restricted to privileged users.
Any unspecified option is interpreted as an unrestricted specification. For example, a missing
-u user-
name option causes all users’ audit information in the audit trail to be displayed as long as it satisfies all
other specified options. By the same principle, citing
-t start_time without -s stop_time displays all
audit information beginning from start_time to the end of the file.
audisp without any options displays all recorded information from the start of the audit file to the end.
Specifying an option without its required parameter results in error. For example, specifying
-e without
any eventname returns with an error message.
Options
-u username Specify the login name (username) about whom to display information. If no (username)
is specified,
audisp displays audit information about all users in the audit file.
-e eventname Display audit information of the specified event types. The defined event types are
admin, close, create, delete, ipcclose, ipccreat, ipcdgram, ipcopen,
login, modaccess, moddac, open, process, readdac, removable, uevent1,
uevent2, and uevent3 (see audevent (1M)).
-c syscall Display audit information about the specified system calls.
-p Display only successful operations that were recorded in the audit trail. No user event
that results in a failure is displayed, even if username and eventname are specified.
The
-p and the -f options are mutually exclusive; do not specify both on the same com-
mand line. To display both successful and failed operations, omit both -p and -f
options.
-f Display only failed operations that are recorded in the audit trail.
-l ttyid Display all operations that occurred on the specified terminal (ttyid) and were recorded
in the audit trail. By default, operations on all terminals are displayed.
-t start_time Display all audited operations occurring since start_time , specified as mmddhhmm[yy]
(month, day, hour, minute, year). If the year is specified and is greater than 70, it is
interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first
century. If no year is given, the current year is used. No operation in the audit trail
occurring before the specified time is displayed.
-s stop_time Display all audited operations occurring before stop_time , specified as mmddhhmm[yy]
(month, day, hour, minute, year). If the year is specified and is greater than 70, it is
interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first
century. If no year is given, the current year is used. No operation in the audit trail
occurring after the specified time is displayed.
-y2-y4 The year is displayed as a two digit number (with -y2), or as a four digit number (with
-y4). The default is -y2. Note that start_time and stop_time must still be specified as
two digit numbers.
AUTHOR
audisp was developed by HP.
SEE ALSO
audevent(1M), audit(4), audit(5).
Section 1M−−50 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: August 2003