i have sucessfully enable the auditing on AIX with adding som onjects.
but when i go for
auditpr -v < /audit/trail
vlets say i reset audit at last dat 5 pm
auditpr -v < /audit/trail
will show up to last day 5 pm.
i have to reset audit every time to check latest logs.
please help.
What seems to be you issue? I am having a hard time understanding what is wanted?
-v
Displays the trail of each audit record, using the format
specifications in the /etc/security/audit/events file.
Have you setup this file?
ya i configure in event file.
lets say i enable udit for su for sysadmin..
restart audit
login with sysadmin and su to root
when i go for check
auditpr -v < /audit/trail
i not finding log for su ..
but when i restart auditnig again. and use
auditpr -v < /audit/trail
now this time i m finding su log for sysadmin
ok so /usr/adm/sulog is owned by root:
-rw------- 1 root system 5818 Feb 07 11:32 sulog
if you do the su to root and then a tail on /usr/adm/sulog it should be there
but if you do the auditpr -v and it is not then the delay is the collection of the information by the processes. Is the system busy?
Now you are not doing ssh or sudo to become root. Gotta check...