auditmerge Command
Purpose
Combines multiple audit trails into a single trail.
Syntax
/usr/sbin/auditmerge [ -q ] file [ file ... ]
Description
The auditmerge command combines multiple audit trail files from potentially multiple machines into a single audit trail file. For each file with records remaining, the record that has the oldest time stamp is added to the output. If a record is found that has a negative time change, an optional warning message may be emitted. Processing continues and any such records are output with their time values unmodified.
The auditmerge command is also capable of adding the CPU ID values from the bin header to each output record. The CPU ID value is encoded in the bin header and bin trailer.
The -q flag is used to control outputting warning messages. When a record with a negative time change is first seen, a single warning message is output. That message contains the name of the file containing the record and the time difference. These messages are suppressed when the -q flag is entered on the command line.
Flags
| Item | Description |
|---|---|
| -q | Used to control outputting warning messages. |
Security
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Examples
- To merge two existing audit trail files from different hosts,
enter:
/usr/bin/auditmerge /audit/trail.calvin /audit/trail.hobbes > /audit/trail.merge - To merge two existing data files, which were preselected for different
user names, enter:
/usr/bin/auditmerge /audit/trail.jim /audit/trail.julie > /audit/trail.both - To merge two data files without producing warnings about incorrect
times, enter:
/usr/bin/auditmerge -q /audit/jumbled.1 /audit/jumbled.2 > /audit/jumbled.output
Files
| Item | Description |
|---|---|
| /etc/security/audit/hosts | Contains the CPU ID to host name mappings. |