hpux 10.20 - audisp (1)
NAME
audisp - display the audit information as requested by the parameters
SYNOPSIS
audisp [-u username] [-e eventname] [-c syscall] [-p] [-f] [-l ttyid]
[-t start_time] [-s stop_time] audit_filename(s) ...
DESCRIPTION
audisp analyzes and displays the audit information contained in the
specified one or more audit files, audit_filename(s). The audit files
are merged into a single audit trail in time order. Although the
entire audit trail is analyzed, audisp allows you to limit the
information displayed, by specifying options. This command is
restricted to privileged users.
Any unspecified option is interpreted as an unrestricted
specification. For example, a missing -u username option causes all
users' audit information in the audit trail to be displayed as long as
it satisfies all other specified options. By the same principle,
citing -t start_time without -s stop_time displays all audit
information beginning from start_time to the end of the file.
audisp without any options displays all recorded information from the
start of the audit file to the end.
Specifying an option without its required parameter results in error.
For example, specifying -e without any eventname returns with an error
message.
Options
-u username Specify the login name (username) about whom to display
information. If no (username) is specified, audisp
displays audit information about all users in the audit
file.
-e eventname Display audit information of the specified event types.
The defined event types are create, delete, moddac,
modaccess, open, close, process, removable, login,
admin, ipccreat, ipcopen, ipcclose, ipcdgram, uevent1,
uevent2, and uevent3 (see audevent(1M)).
-c syscall Display audit information about the specified system
calls.
-p Display only successful operations that were recorded
in the audit trail. No user event that results in a
failure is displayed, even if username and eventname
are specified.
The -p and the -f options are mutually exclusive; do
not specify both on the same command line. To display
both successful and failed operations, omit both -p and
-f options.
-f Display only failed operations that are recorded in the
audit trail.
-l ttyid Display all operations that occurred on the specified
terminal (ttyid) and were recorded in the audit trail.
By default, operations on all terminals are displayed.
-t start_time Display all audited operations occurring since
start_time, specified as mmddhhmm[yy] (month, day,
hour, minute, year). If no year is given, the current
year is used. No operation in the audit trail
occurring before the specified time is displayed.
-s stop_time Display all audited operations occurring before
stop_time, specified as mmddhhmm[yy] (month, day, hour,
minute, year). If no year is given, the current year
is used. No operation in the audit trail occurring
after the specified time is displayed.
AUTHOR
audisp was developed by HP.
SEE ALSO
audevent(1M), audit(4), audit(5).