The onshowaudit utility
Use the onshowaudit utility to view the audit information from an existing audit trail. You can use this command to extract information for a particular user, database server, or both, making it possible to isolate a particular subset of data from a potentially large audit trail.
Syntax
>>-- onshowaudit --+--------+--+--------+--+----------------------+--+--------------+-->
'-- -d --' '-- -q --' '-- -n --servernumber--' '-- -f --path--'
>--+-----------------+--+-------------------+--+-----------------------+--><
'- -u --username--' '- -s --servername--' '- -l --+------------+--'
'--loadfile--'
>>- onshowaudit -- -h --><
>>-onshowaudit--+-------------------+--+-----------+--+------+-->
'- -n--servernumber-' '- -f--path-' +- -ts-+
'- -tf-'
>--+--------------------------------+--+---------------+-------><
+- -u--username-- -s--servername-+ '- -l--loadfile-'
'- -d----------------------------'
Element | Purpose | Key Considerations |
---|---|---|
-d | The output is not double-spaced when this option is used on POSIX systems. By default, there is a blank line after each audit record; the -d option omits that line. |
On POSIX, it is used to avoid double-spacing in the output. |
-f path | Specifies an audit trail to examine, only for database server-managed auditing. | The path can be a full path or just a file name. If this option is omitted, or if path is only a file name, see the notes that immediately follow this table. |
-h | Prints a help message, the command line summary and an explanation of the options. | None |
-I | Indicates that the specified audit trail is for the database server. Note: This option is a holdover from a time when operating system (OS) auditing was supported
(and selected with the -O option). The -I option may be used for compatibility, but may safely be
omitted. No error will appear if someone uses -I, but it won't affect the operation of the
command. |
This option is case-sensitive. The UNIX™ operating system uses the Informix® database server audit trail. |
-l | Directs onshowaudit to extract information with delimiters so that it can be redirected to a file or pipe and loaded into a database table or other application that accepts delimited data. | When using the Windows™ operating system you must remove
the six header lines that are in the output file before you use that
file as input for dbload or for an external file. On the Windows™ operating system, you must enter a load file name argument for the -l option. On theUNIX operating system this file name argument is optional. On the UNIX™ operating system, if you do not specify a file name, the output is routed to standard output. |
-n servernumber | Extracts audit records from the ADTPATH location specified in the adtcfg.servernumber file. | If the adtcfg.servernumber file does not exist, the contents of the ADTCFG file are used for audit configuration. |
-q | Suppresses the banner line and the ‘program over’ message when the program completes. | None |
-tf | Displays only failure audit records | This option is only available on the Windows™ operating system. |
-ts | Displays only success audit records | This option is only available on the Windows™ operating system. |
-s servername | Specifies which database server must have audit information extracted. | None. |
-u username | Specifies the login name of a user for extraction of audit information. | None. |
-d option, when used on windows, indicates that the onshowaudit utility must use default values for the user (current user) and database server (INFORMIXSERVER) fields.
Usage
The onshowaudit utility performs the following operations:
- Extracts audit information from an audit trail
- Prepares extracted audit data for the dbload utility
The onshowaudit command extracts data from an audit trail but does not process the records or delete them from the audit trail. You must only access the audit trail with the onshowaudit command because it includes certain protections.
- With role separation off, only user informix (and user root on UNIX™ operating systems) can run the onshowaudit utility.
- With role separation on, only the AAO can run the onshowaudit utility.
By default, the onshowaudit command is displayed to the standard output (your screen). You can redirect the formatted output to a file or pipe and can specify that the onshowaudit command reformat the output so that you can load it into the Informix® database table.
If you modify the audit configuration with the onaudit utility, the adtcfg.servernumber file stores the changed configuration. If the server audit configuration is modified, use the -n option to specify the server number for onshowaudit. Using the -n option allows onshowaudit to read the right ADTPATH stored in adtcfg.servernumber file. The onshowaudit utility extracts data from all the audit files it finds that are in sequence, starting with the lowest integer.
If only a file name is specified, the utility searches the ADTPATH directory for that file and extracts audit data from it.
If a complete path name is specified, the utility extracts audit data from the named file.
The database server does not audit the onshowaudit utility's execution.
Any command-line options that you specify determine which part of the audit trail the onshowaudit utility uses
If -f is omitted, onshowaudit searches for audit files in the ADTPATH directory specified in the default ADTCFG file. The -f path option specifies the directory and file name of the audit files. The audit directory and file name must conform to minimum security levels. The directory must be owned by user informix, belong to the AAO group, and must not allow public access (0770 permission). The files must have comparable permissions (0660 permission). The files must not be symbolic links to other locations. The directory can be a symbolic link. If the audit directory and files are not secure, the onshowaudit utility returns an error message and does not display the audit results.
The onshowaudit utility can be used to filter the audit data reported to the syslog daemon using ASL, but there are two issues: one, the syslog daemon adds information at the start of a line compared to classic audit logs; and two, the locations and names of the files recorded by the syslog daemon are not known to Informix and may not even be on the current machine.
Example 1 — Classic log (1 line):
ONLN|2021-01-12 18:59:21.512|njdc-ldev04|31055|njdc_ldev04_11|someone|0:ACTB:stores:someone:stock:110
Example 2 — syslog log (1 line):
Jan 12 11:59:21 njdc-ldev04 njdc_ldev04_11: ONLN|2021-01-12 18:59:21.512|njdc-ldev04|31055|njdc_ldev04_11|someone|0:ACTB:stores:someone:stock:110
The data in example 2 has 5 fields before the normal start of the Informix record (which begins at “ONLN|?). (The machine/host name is njdc-ldev04; the Informix server name is njdc_ldev04_11. The default identifier is used here.)
However, because there are no pipe symbols in the prefixed information, you can use:
onshowaudit -f /var/log/informix.audit
(possibly with filters such as ‘-u someone’) to select data from the file. The output will include the data prefixed by the syslog daemon. (You might note that the syslog daemon above is running in time zone UTC-07:00, but the server is running in time zone UTC0 — hence the difference of 7 hours between the timestamp from the syslog daemon and the auditing code. Actually, one can’t tell which time zones are in use, but can tell that they are 7 hours apart.)
Example 1: Reading a specific audit log file
The following command shows the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7
Example 2: Filtering audit records by user
The following command shows only the records that pertain to usr1 in the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7 -u usr1
Example 3: Filtering audit records by server name
The following command shows only the records that pertain to usr1 on the ol_lx_rama server in the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7 -u usr1 -s ol_lx_rama