The onshowaudit utility
Use the onshowaudit utility to view the audit information from an existing audit trail. You can use this command to extract information for a particular user, database server, or both, making it possible to isolate a particular subset of data from a potentially large audit trail.
Syntax
Element | Purpose | Key Considerations |
---|---|---|
-d | Indicates that the onshowaudit utility must use default values for the user (current user) and database server (INFORMIXSERVER) fields. | This option is only available on the Windows operating system. |
-f path | Specifies an audit trail to examine, only for database server-managed auditing. | The path can be a full path or just a file name. If this option is omitted, or if path is only a file name, see the notes that immediately follow this table. |
-I | Indicates that the specified audit trail is for
the database server. Note: This option is a holdover from
a time when operating system (OS) auditing was supported. The -I must
be included for compatibility. |
This option is case-sensitive. The UNIX operating system uses the HCL OneDB™ database server audit trail |
-l | Directs onshowaudit to extract information with delimiters so that it can be redirected to a file or pipe and loaded into a database table or other application that accepts delimited data. | When using the Windows operating system you must remove
the six header lines that are in the output file before you use that
file as input for dbload or for an external file. On the Windows operating system, you must enter a load file name argument for the -l option. On theUNIX operating system this file name argument is optional. On the UNIX operating system, if you do not specify a file name, the output is routed to standard output. |
-n servernumber | Extracts audit records from the ADTPATH location specified in the adtcfg.servernumber file. | If the adtcfg.servernumber file does not exist, the contents of the ADTCFG file are used for audit configuration. |
-tf | Displays only failure audit records | This option is only available on the Windows operating system. |
-ts | Displays only success audit records | This option is only available on the Windows operating system. |
-s servername | Specifies which database server must have audit information extracted. | None. |
-u username | Specifies the login name of a user for extraction of audit information. | None. |
Usage
The onshowaudit utility performs the following operations:
- Extracts audit information from an audit trail
- Prepares extracted audit data for the dbload utility
The onshowaudit command extracts data from an audit trail but does not process the records or delete them from the audit trail. You must only access the audit trail with the onshowaudit command because it includes certain protections.
- With role separation off, only user informix (and user root on UNIX operating systems) can run the onshowaudit utility.
- With role separation on, only the AAO can run the onshowaudit utility.
By default, the onshowaudit command is displayed to the standard output (your screen). You can redirect the formatted output to a file or pipe and can specify that the onshowaudit command reformat the output so that you can load it into the HCL OneDB database table.
If you modify the audit configuration with the onaudit utility, the adtcfg.servernumber file stores the changed configuration. If the server audit configuration is modified, use the -n option to specify the server number for onshowaudit. Using the -n option allows onshowaudit to read the right ADTPATH stored in adtcfg.servernumber file. The onshowaudit utility extracts data from all the audit files it finds that are in sequence, starting with the lowest integer.
If only a file name is specified, the utility searches the ADTPATH directory for that file and extracts audit data from it.
If a complete path name is specified, the utility extracts audit data from the named file.
The database server does not audit the onshowaudit utility's execution.
Any command-line options that you specify determine which part of the audit trail the onshowaudit utility uses
If -f is omitted, onshowaudit searches for audit files in the ADTPATH directory specified in the default ADTCFG file. The -f path option specifies the directory and file name of the audit files. The audit directory and file name must conform to minimum security levels. The directory must be owned by user informix, belong to the AAO group, and must not allow public access (0770 permission). The files must have comparable permissions (0660 permission). The files must not be symbolic links to other locations. The directory can be a symbolic link. If the audit directory and files are not secure, the onshowaudit utility returns an error message and does not display the audit results.
Example 1: Reading a specific audit log file
The following command shows the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7
Example 2: Filtering audit records by user
The following command shows only the records that pertain to usr1 in the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7 -u usr1
Example 3: Filtering audit records by server name
The following command shows only the records that pertain to usr1 on the ol_lx_rama server in the audit log file /work/aaodir/ol_lx_rama.7:
onshowaudit -I -f /work/aaodir/ol_lx_rama.7 -u usr1 -s ol_lx_rama