The seaudit utility displays the records in the CA ControlMinder audit log file. To execute the seaudit utility on Windows, you must have the AUDITOR attribute and must belong to the audir_group in seos.ini. When displaying audit records that include passwords, seaudit protects the password identity by substituting a series of asterisks (***) in place of the password text.
Note: You can use the string matching in the command switches and options. Some UNIX shells automatically expand mask arguments; therefore, when invoking seaudit from such a shell, prevent the masks from being handled by the shell by typing a backslash (\) before an asterisk or question mark.
Note: The seaudit utility displays trace records by user name, not by user ID.
This command has the following format:
seaudit switch [options]
Defines the mode of operation for the utility. Can be one of the following options:
Displays all records except the user trace records sent to the audit log by the tracing facility.
Note: The connected TCP records, which are available for UNIX, are also not displayed. Specify the -c option to display these records.
Displays the help for this utility.
Displays the INET audit records of the TCP requests received from the specified hosts for the specified services. Both host and service are masks that identify the set of hosts and services that seaudit searches for.
On UNIX, to list the TCP records with the network ID (port number) to which connection was made, add the ‑c flag. For example:
seaudit ‑i ‑c myhost telnet
Displays the LOGIN records for the comma-separated specified users, on the specified terminal.
Both user and terminal are masks.
On UNIX, this also lists records that are created by serevu when it enables and disables users, and records that are created by the authorization daemon when an invalid password is entered.
Displays the general resources audit of the specified class on the specified resource for the specified comma-separated users.
Displays the CA ControlMinder startup and shutdown messages.
(UNIX only). Displays a description of the watchdog message number.
Displays the table of log codes.
Displays trace records of all the users whose activities are being traced.
Note: Trace records display the login session ID column by default. If you do not want to display this column, use the -format option.
Displays the trace records of the specified resource.
Displays the trace records of the users with the specified numeric uids or user names.
Displays database update audit records:
Displays the watchdog audit records.
Defines optional modifiers that change the way that the utility displays its information. Can be one or more of the following options:
(UNIX only). Displays the connected INET records. These records are generated for session ID tracking, which list the port number of successful TCP connections.
For example, a user (user1) opens a Telnet session from comp1 to comp2, both with CA ControlMinder installed. CA ControlMinder on comp2 can be configured (logconnected configuration setting) to send the acknowledgement to comp1 with the credentials of the user who logged in through the Telnet session (this may be a user other than user1). When comp1 receives this acknowledgement, it creates a TCP-CONNECTED record (a session establishment record) that can then be displayed using the -c option.
Displays detailed information about each record.
Defines the delimiter to use before the first field and between the remaining fields. For example, the following command makes fields appear in quotation marks that are separated by a comma:
seaudit ‑a ‑delim \”,\”
Same as the ‑delim option, except that the delimiter does not appear before the first field.
Same as the -delim option, except that it includes a delimiter between day, month, and year.
Same as the -delim2 option.
Specifies the end date. Records that are logged after this date are not displayed.
You can specify the date in one of two ways:
You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today‑3 means that the date is three days ago.
Specifies the end time. Records that are logged after this time are not displayed.
You can specify time in one of two ways:
You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option with ‑sd, ‑ed or both.
Note: The now string is valid for the present day's time. For example, if the present time is 130 am, you specify now-89. If you specify now-90, then no records appear.
Specifies not to display access failures.
Specifies the name of the audit log file to be searched.
Specifies that the output format looks like it did for the CA ControlMinder release.
release—Defines the release number. The valid values are:
Specifies not to display successful (granted) accesses.
Specifies not to display successful (granted) accesses, except for notify records.
(UNIX only) Specifies to display the content of the keyboard logging audit file (kbl.audit).
Displays all recorded sessions in the audit file.
Specifies the keyboard logging session ID.
Replays the entire keyboard logging session.
Displays the entire keyboard logging session, excluding control characters.
(UNIX Only) Displays the commands that the user entered during the command line logging session.
Displays the EXECARGS details of commands that the user executed in the shell.
Specifies to display the recorded session time.
Note: You can run the command in the following shells: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh
(UNIX only) Specifies not to display logout records.
(UNIX only) Specifies that years be displayed with four digits instead of two.
Specifies that the internet addresses should be displayed instead of host names in TCP/IP records.
Specifies not to display NOTIFY audit records.
Specifies that only records originating from the specified host be displayed.
This option is only applicable when browsing records from a consolidated audit file that is created by the selogrcd log‑routing collection daemon.
(UNIX only) Specifies not to display password attempt records.
Specifies the start date. Records that logged prior to this date are not displayed.
You can specify the date in one of two ways:
You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today‑3 means that the date is three days ago.
Specifies to show a column that contains user login session ID information. This column is hidden by default.
Note: This option is valid only for endpoints with r12.0 SP1 and above.
Specifies the start time. Records that logged before this time are not displayed.
You can specify time in one of two ways:
You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option with ‑sd, ‑ed or both.
Note: The now string is valid for the present day's time. For example, if the present time is 130 am, you specify now-89. If you specify now-90, then no records appear.
Specifies that port numbers are displayed instead of service names.
Specifies not to display warning records.
Examples
seaudit ‑a ‑sd 04‑Jan‑2004
seaudit ‑sd 04‑Jan‑2004 ‑ed 04‑Jan‑2004 ‑l root * ‑g
seaudit ‑r FILE "*" John
seaudit ‑a ‑st 17:00 ‑et 08:00
seaudit ‑a ‑st 08:00 ‑et 17:00
seaudit ‑login * * ‑resource * * * ‑grant ‑failure ‑logout ‑pwa
seaudit ‑login "user1, user2"
seaudit ‑a ‑sd today‑1 ‑ed today‑1
seaudit -kbl
seaudit -kbl -a
seaudit -kbl -a -sid 22764
seaudit -kbl -sid 22316 -rp
seaudit -kbl -sid 22316 -cmd
seaudit ‑tru 244 ‑trr FILE
seaudit ‑tru "user1, 244"
Copyright © 2013 CA Technologies.
All rights reserved.
|
|