HP-UX real time audit log writing

UNIX HP-UX
1

Hey all, I have a problem I was hoping to get some help on. So I have my two auditfiles, audfile1 and audfile2 that can be written to, I want to have the text version of them write to an NFS mount that I have set up. So i already know that i can do .secure/etc/audsp audfile1 > //nfsmount/folder/ But does the audsp command clear the contents of anything that is translates??

I have a script that runs on the NFS mount that appends the audsp output after its done with it with a . processed marker. I was also able to find this script online but. I am sort of comfortable with the logic, but not so sure on its syntactically right. Anyway if anyone can help I would greatly appreciate any help that you might give

Found Script:

CURRENT=$(/usr/bin/audsys | grep "current file" | head -n 1 | cut -c 15-) 
NUM=$(print $CURRENT | cut -c 24) 
if [ $NUM = 1 ] 
then 
   NEXTFILE=$(print $CURRENT | cut -c -23)"2" 
   /usr/bin/audsys -c $NEXTFILE -s 100000 
   rm /.secure/etc/files2/*.processed 
   /usr/bin/audisp /.secure/etc/files/file1 > /.secure/etc/files2/audit_out ; 
   rm $CURRENT 
else 
   NEXTFILE=$(print $CURRENT | cut -c -23)"1" 
   /usr/bin/audsys -c $NEXTFILE -s 100000 
   rm /.secure/etc/files2/*.processed 
   /usr/bin/audisp /.secure/etc/files/file2 > /.secure/etc/files2/audit_out ; 
   rm $CURRENT
fi

---------- Post updated at 06:29 PM ---------- Previous update was at 06:29 PM ----------

Forgot to add in, if you have any questions feel free to ask me! I want to help you help me! :D:D

2

You had some errors, but not sure it were from copying and loosing end of line etc.. stuff and no fi...
Can you check now if this is more like it?
for instance

NEXTFILE=$(print $CURRENT | cut -c -23)"2" /usr/bin/audsys -c $NEXTFILE -s 100000

makes no sense or something is missing , I understand as 2 separate commands (and so syntax id doubtful...)

3

it may have been part of me trying to clean it up that cut off some of the parts. Here is the original post that I pulled that code from that I tried to clean up. I went ahead and put code tags around the section of code. I am starting to understand it a little logically, but most my experience comes from java/rhel background so it being all together throws me off.

--orginal post--

"I had problems with HP-UX connectors not retrieving online logs. we came up with this script to be able to retrieve online logs, there are 2 files switching over file1 and file2 and the directory /.secure/etc/files2 is where audisp command output is written "

CURRENT=$(/usr/bin/audsys | grep "current file" | head -n 1 | cut -c 15-) NUM=$(print $CURRENT | cut -c 24) if [ $NUM = 1 ] then NEXTFILE=$(print $CURRENT | cut -c -23)"2" /usr/bin/audsys -c $NEXTFILE -s 100000 rm /.secure/etc/files2/*.processed /usr/bin/audisp /.secure/etc/files/file1 > /.secure/etc/files2/audit_out ; rm $CURRENT else NEXTFILE=$(print $CURRENT | cut -c -23)"1" /usr/bin/audsys -c $NEXTFILE -s 100000 rm /.secure/etc/files2/*.processed /usr/bin/audisp /.secure/etc/files/file2 > /.secure/etc/files2/audit_out ; rm $CURRENT fi

again thank you for any help that you might have!

4

So I think what I did in your first post seems to be correct...
Now I dont have an system is audsys turned on only traces on a old 10.20...
I suggest you look line by line what I did above:
If I try the

print $CURRENT | cut -c 23

on my system it returns nothing:

aph:/.secure/etc $ print $CURRENT | cut -c -23
/.secure/etc/audfile1
aph:/.secure/etc $ print $CURRENT | cut -c 23 

aph:/.secure/etc $ print $CURRENT | cut -c 21
1

So what does :

CURRENT=$(/usr/bin/audsys | grep "current file" | head -n 1 | cut -c 15-) ;echo $CURRENT

produce on your server?

5 
CURRENT=$(/usr/bin/audsys | grep "current file" | head -n 1 | cut -c 15-) ;echo $CURRENT
/.secure/etc/audfile1

that file path is the correct file where one of the audit logs is written to. The other is in the same directory but is just audfile2

6

So the cut isnt correct I suppose... you need:

print $CURRENT | cut -c 21