Reference GuideUtilities › seaudit Utility—Display Audit Log Records

Previous Topic: report_agent.sh Script—Configure the Report Agent

Next Topic: sebuildla Utility—Create a Lookaside Database

seaudit Utility—Display Audit Log Records

The seaudit utility displays the records in the CA Access Control audit log file. To execute the seaudit utility on Windows, you must have the AUDITOR attribute. To execute the seaudit utility on UNIX, you must belong to the audir_group in seos.ini. When displaying audit records that include passwords, seaudit protects password identity by substituting a series of asterisks (***) in place of the password text.

Note: You can use string matching in the command switches and options. Some UNIX shells automatically expand mask arguments; therefore, when invoking seaudit from such a shell, you should prevent the masks from being handled by the shell by typing a backslash (\) before an asterisk or question mark.

Note: The seaudit utility displays trace records by user name, not by user ID.

This command has the following format:

seaudit switch [options]
switch

Defines the mode of operation for the utility. Can be one of the following:

‑a | -all

Displays all records except user trace records sent to the audit log by the tracing facility.

Note: Connected TCP records, which are available for UNIX, are also not displayed. You need to also specify the -c option to display these records.

-h | -help

Displays the help for this utility.

{‑i | -inet} host service

Displays the INET audit records of the TCP requests received from the specified hosts for the specified services. Both host and service are masks that identify the set of hosts and services that seaudit searches for.

On UNIX, to list TCP records with the network ID (port number) to which connection was made, add the ‑c flag. For example:

seaudit ‑i ‑c myhost telnet
{‑l | -login} user1, user2, ... terminal

Displays the LOGIN records for the comma-separated specified users, on the specified terminal.

Both user and terminal are masks.

On UNIX, this also lists records created by serevu when it enables and disables users, and records created by the authorization daemon when an invalid password is entered.

{‑r | -resource} class resource user1, user2, ...

Displays the general resources audit of the specified class on the specified resource for the specified comma-separated users.

  • class is a mask that identifies the class to which the accessed resource belongs.
  • resource is a mask that identifies the names of the resources that were accessed.
  • user is a mask of the name of the user who accessed the resource.
‑s | -start

Displays the CA Access Control startup and shutdown messages.

‑St | ‑Stat message_number

(UNIX only). Displays a description of the watchdog message number.

‑t | -table

Displays the table of log codes.

‑tr

Displays trace records of all the users whose activities are being traced.

Note: Trace records display the login session ID column by default. If you do not want to display this column, use th -format option.

‑trr resource

Displays the trace records of the specified resource.

‑tru {uid1|user1}, {uid1|user2}, ...

Displays the trace records of the users with the specified numeric uids or user names.

‑u command class record user

Displays database update audit records:

  • command is a mask identifying the set of selang commands to search for.
  • class is a mask identifying the classes to search for.
  • record is a mask identifying the records to search for.
  • user is a mask identifying the users who executed the commands.
‑w

Displays the watchdog audit records.

options

Defines optional modifiers that change the way the utility displays its information. Can be one or more of the following:

‑c

(UNIX only). Displays connected INET records. These are records generated for session ID tracking, which list the port number of successful TCP connections.

For example, a user (user1) opens a Telnet session from comp1 to comp2, both with CA Access Control installed. CA Access Control on comp2 can be configured (logconnected configuration setting) to send acknowledgement to comp1 with the credentials of the user who logged in through the Telnet session (this may be a user other than user1). When comp1 receives this acknowledgement, it creates a TCP-CONNECTED record (a session establishment record) that can then be displayed using the -c option.

‑detail

Displays detailed information about each record.

‑delim delimiter

Defines the delimiter to use before the first field and between the remaining fields. For example, the following command makes fields appear in quotation marks separated by a comma:

seaudit ‑a ‑delim \”,\”

‑delim2 delimiter

Same as the ‑delim option, except that the delimiter does not appear before the first field.

-delim3 delimiter

Same as the -delim option, except that it includes a delimiter between day, month, and year.

-delim4 delimiter

Same as the -delim2 option.

‑ed date

Specifies the end date. Records logged after this date are not displayed.

You can specify date in one of two ways:

  • Using the format ddmmyyyy.
  • Using the string today to set the date as today.

You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today3 means that the date is three days ago.

‑et time

Specifies the end time. Records logged after this time are not displayed.

You can specify time in one of two ways:

  • Using the 24-hour format hh:mm
  • Using the string now to set the time as now.

    You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option in conjunction with ‑sd, ‑ed or both.

‑f | -failure

Specifies not to display access failures.

{‑fn | -file} fileName

Specifies the name of the audit log file to be searched.

-format release

Specifies that the output format looks like it did for CA Access Control release.

release—Defines the release number. Valid values are:

  • 80sp1—The output in r8 SP1 did not include the effective UID column that exists in newer releases.
  • 12—The output in r12.0 did not include the ability to display password change records. For trace records, the output in r12.0 also did not include login session ID information.
‑g | -grant

Specifies not to display successful (granted) accesses.

‑gn | -grantnotify

Specifies not to display successful (granted) accesses, except for notify records.

-kbl -a -sid sid {-rp | -pr | -cmd | -exe | -disp}

(UNIX only) Specifies to display the content of the keyboard logging audit file (kbl.audit).

-a

Displays all recorded sessions in the audit file.

-sid sid

Specifies the keyboard logging session ID.

-rp

Replays the entire keyboard logging session.

-pr

Displays the entire keyboard logging session, excluding control characters.

-cmd

(UNIX Only) Displays the commands that the user entered during the command line logging session.

-exe

Displays EXECARGS details of commands that the user executed in the shell.

-disp

Specifies to display the recorded session time.

Note: You can run the command in the following shells: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh

‑logout

(UNIX only) Specifies not to display logout records.

‑millennium

(UNIX only) Specifies that years should be displayed with four digits instead of two.

‑n | -netaddr

Specifies that Internet addresses should be displayed instead of host names in TCP/IP records.

‑notify

Specifies not to display NOTIFY audit records.

{‑o | -origin} host

Specifies that only records originating from the specified host should be displayed.

This option is only applicable when browsing records from a consolidated audit file created by the selogrcd log‑routing collection daemon.

‑pwa

(UNIX only) Specifies not to display password attempt records.

‑sd date

Specifies the start date. Records logged prior to this date are not displayed.

You can specify date in one of two ways:

  • Using the format ddmmyyyy.
  • Using the string today to set the date as today.

You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today3 means that the date is three days ago.

sessionid

Specifies to show a column that contains user login session ID information. This column is hidden by default.

Note: This option is valid only for endpoints with r12.0 SP1 and above.

‑st time

Specifies the start time. Records logged prior to this time are not displayed.

You can specify time in one of two ways:

  • Using the 24-hour format hh:mm
  • Using the string now to set the time as now.

You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option in conjunction with ‑sd, ‑ed or both.

‑v | -servnum

Specifies that port numbers are displayed instead of service names.

‑warn

Specifies not to display warning records.

Examples

More information:

How To Identify the Event Type of an Audit Record

Audit Event Types