Previous Topic: report_agent.sh Script—Configure the Report AgentNext Topic: sebuildla Utility—Create a Lookaside Database


seaudit Utility—Display Audit Log Records

The seaudit utility displays the records in the CA ControlMinder audit log file. To execute the seaudit utility on Windows, you must have the AUDITOR attribute and must belong to the audir_group in seos.ini. When displaying audit records that include passwords, seaudit protects the password identity by substituting a series of asterisks (***) in place of the password text.

Note: You can use the string matching in the command switches and options. Some UNIX shells automatically expand mask arguments; therefore, when invoking seaudit from such a shell, prevent the masks from being handled by the shell by typing a backslash (\) before an asterisk or question mark.

Note: The seaudit utility displays trace records by user name, not by user ID.

This command has the following format:

seaudit switch [options]
switch

Defines the mode of operation for the utility. Can be one of the following options:

‑a | -all

Displays all records except the user trace records sent to the audit log by the tracing facility.

Note: The connected TCP records, which are available for UNIX, are also not displayed. Specify the -c option to display these records.

-, | -help

Displays the help for this utility.

{‑i | -inet} host service

Displays the INET audit records of the TCP requests received from the specified hosts for the specified services. Both host and service are masks that identify the set of hosts and services that seaudit searches for.

On UNIX, to list the TCP records with the network ID (port number) to which connection was made, add the ‑c flag. For example:

seaudit ‑i ‑c myhost telnet
{‑l | -login} user1, user2, ... terminal

Displays the LOGIN records for the comma-separated specified users, on the specified terminal.

Both user and terminal are masks.

On UNIX, this also lists records that are created by serevu when it enables and disables users, and records that are created by the authorization daemon when an invalid password is entered.

{‑r | -resource} class resource user1, user2, ...

Displays the general resources audit of the specified class on the specified resource for the specified comma-separated users.

  • class is a mask that identifies the class to which the accessed resource belongs.
  • resource is a mask that identifies the names of the resources that were accessed.
  • user is a mask of the name of the user who accessed the resource.
‑s | -start

Displays the CA ControlMinder startup and shutdown messages.

‑St | ‑Stat message_number

(UNIX only). Displays a description of the watchdog message number.

‑t | -table

Displays the table of log codes.

‑tr

Displays trace records of all the users whose activities are being traced.

Note: Trace records display the login session ID column by default. If you do not want to display this column, use the -format option.

‑trr resource

Displays the trace records of the specified resource.

‑tru {uid1|user1}, {uid1|user2}, ...

Displays the trace records of the users with the specified numeric uids or user names.

‑u command class record user

Displays database update audit records:

  • command is a mask identifying the set of selang commands to search for.
  • class is a mask identifying the classes to search for.
  • record is a mask identifying the records to search for.
  • user is a mask identifying the users who executed the commands.
‑w

Displays the watchdog audit records.

options

Defines optional modifiers that change the way that the utility displays its information. Can be one or more of the following options:

‑c

(UNIX only). Displays the connected INET records. These records are generated for session ID tracking, which list the port number of successful TCP connections.

For example, a user (user1) opens a Telnet session from comp1 to comp2, both with CA ControlMinder installed. CA ControlMinder on comp2 can be configured (logconnected configuration setting) to send the acknowledgement to comp1 with the credentials of the user who logged in through the Telnet session (this may be a user other than user1). When comp1 receives this acknowledgement, it creates a TCP-CONNECTED record (a session establishment record) that can then be displayed using the -c option.

‑detail

Displays detailed information about each record.

‑delim delimiter

Defines the delimiter to use before the first field and between the remaining fields. For example, the following command makes fields appear in quotation marks that are separated by a comma:

seaudit ‑a ‑delim \”,\”

‑delim2 delimiter

Same as the ‑delim option, except that the delimiter does not appear before the first field.

-delim3 delimiter

Same as the -delim option, except that it includes a delimiter between day, month, and year.

-delim4 delimiter

Same as the -delim2 option.

‑ed date

Specifies the end date. Records that are logged after this date are not displayed.

You can specify the date in one of two ways:

  • Using the format ddmmyyyy.
  • Using the string today to set the date as today.

You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today3 means that the date is three days ago.

‑et time

Specifies the end time. Records that are logged after this time are not displayed.

You can specify time in one of two ways:

  • Using the 24-hour format hh:mm
  • Using the string now to set the time as now.

    You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option with ‑sd, ‑ed or both.

Note: The now string is valid for the present day's time. For example, if the present time is 130 am, you specify now-89. If you specify now-90, then no records appear.

‑f | -failure

Specifies not to display access failures.

{‑fn | -file} fileName

Specifies the name of the audit log file to be searched.

-format release

Specifies that the output format looks like it did for the CA ControlMinder release.

release—Defines the release number. The valid values are:

  • 80sp1—The output in r8 SP1 did not include the effective UID column that exists in newer releases.
  • 12—The output in r12.0 did not include the ability to display password change records. For trace records, the output in r12.0 also did not include the login session ID information.
‑g | -grant

Specifies not to display successful (granted) accesses.

‑gn | -grantnotify

Specifies not to display successful (granted) accesses, except for notify records.

-kbl -a -sid sid {-rp | -pr | -cmd | -exe | -disp}

(UNIX only) Specifies to display the content of the keyboard logging audit file (kbl.audit).

-a

Displays all recorded sessions in the audit file.

-sid sid

Specifies the keyboard logging session ID.

-rp

Replays the entire keyboard logging session.

-pr

Displays the entire keyboard logging session, excluding control characters.

-cmd

(UNIX Only) Displays the commands that the user entered during the command line logging session.

-exe

Displays the EXECARGS details of commands that the user executed in the shell.

-disp

Specifies to display the recorded session time.

Note: You can run the command in the following shells: bash, tcsh, csh, ksh, jsh, rsh, ash, zsh

‑logout

(UNIX only) Specifies not to display logout records.

‑millennium

(UNIX only) Specifies that years be displayed with four digits instead of two.

‑n | -netaddr

Specifies that the internet addresses should be displayed instead of host names in TCP/IP records.

‑notify

Specifies not to display NOTIFY audit records.

{‑o | -origin} host

Specifies that only records originating from the specified host be displayed.

This option is only applicable when browsing records from a consolidated audit file that is created by the selogrcd log‑routing collection daemon.

‑pwa

(UNIX only) Specifies not to display password attempt records.

‑sd date

Specifies the start date. Records that logged prior to this date are not displayed.

You can specify the date in one of two ways:

  • Using the format ddmmyyyy.
  • Using the string today to set the date as today.

You can also use the string today followed by ‑ (minus) and a number. This defines the date as the specified number of days before today. For example, today3 means that the date is three days ago.

sessionid

Specifies to show a column that contains user login session ID information. This column is hidden by default.

Note: This option is valid only for endpoints with r12.0 SP1 and above.

‑st time

Specifies the start time. Records that logged before this time are not displayed.

You can specify time in one of two ways:

  • Using the 24-hour format hh:mm
  • Using the string now to set the time as now.

You can also use the string now followed by ‑ (minus) and a number. This defines the time as the specified number of minutes before now. For example, now‑60 means that the time is sixty minutes (one hour) ago. To delineate a time frame within a particular day, use this option with ‑sd, ‑ed or both.

Note: The now string is valid for the present day's time. For example, if the present time is 130 am, you specify now-89. If you specify now-90, then no records appear.

‑v | -servnum

Specifies that port numbers are displayed instead of service names.

‑warn

Specifies not to display warning records.

Examples

More information:

How To Identify the Event Type of an Audit Record

Audit Event Types