https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486959#M30597 Craig,<BR /><BR /> The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.<BR /><BR />If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.<BR /><BR />PIPE comes in handy here:<BR /><BR />$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...<BR /><BR />If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:<BR /><BR />Event time: 28-AUG-2009 00:00:38.16<BR /><BR />into:<BR /><BR />Eventtime="28-AUG-2009 00:00:38.16"<BR /><BR /> This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:<BR /><BR />$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username Thu, 27 Aug 2009 21:36:19 GMT John Gillings 2009-08-27T21:36:19Z https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486957#M30595 Hi!<BR /><BR />I would like to run a report that only shows me those users that have used AUTHORIZE to change the privileges (default or authorised) of other users. <BR /><BR />ANAL/AUDIT/EVENT and ANAL/AUDIT/SELECT doesn't *appear* to be able to offer this. <BR /><BR />I'm aware that I could generate a generic AUTHORIZE changes report and then parse it for what I need:<BR /><BR />$SEARCH <FILE> - <BR />"Privileges","New" /MATCH=AND /WIND=(x,y) <BR /><BR />but that approach is messy if multiple changes to an accout have occured. <BR /><BR />I was just wondering if I was missing something blindingly obvious.<BR /><BR />Many thanks<BR /><BR />Craig A</FILE> Thu, 27 Aug 2009 07:02:55 GMT https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486957#M30595 Craig A 2009-08-27T07:02:55Z https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486958#M30596 Not blindingly obvious but:<BR /><BR />/SELECT=(FIELD=("DEFAULT PRIVILEGES", "PRIVILEGES")) Thu, 27 Aug 2009 08:40:39 GMT https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486958#M30596 Richard Brodie_1 2009-08-27T08:40:39Z https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486959#M30597 Craig,<BR /><BR /> The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.<BR /><BR />If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.<BR /><BR />PIPE comes in handy here:<BR /><BR />$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...<BR /><BR />If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:<BR /><BR />Event time: 28-AUG-2009 00:00:38.16<BR /><BR />into:<BR /><BR />Eventtime="28-AUG-2009 00:00:38.16"<BR /><BR /> This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:<BR /><BR />$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username Thu, 27 Aug 2009 21:36:19 GMT https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486959#M30597 John Gillings 2009-08-27T21:36:19Z https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486960#M30598 Richard: Thanks - Perfect!<BR /><BR />John: Very useful. Many thanks.<BR /><BR />Craig A Fri, 28 Aug 2009 11:04:42 GMT https://community.hpe.com/t5/operating-system-openvms/anal-audit-for-authorize-priv-and-defpriv-changes/m-p/4486960#M30598 Craig A 2009-08-28T11:04:42Z