https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131378#M91183 Can you post up a copy of the record where you're seeing this field with your ANALYZE /AUDIT /EVENT=LOGFAIL command? (I don't have that field visible within the command output I've just looked at from an OpenVMS Alpha V8.3 system. Which means I'm probably not looking in the same spot as you are, or I don't have the same LOGFAIL entries in the local SECURITY.AUDIT$JOURNAL database.) Tue, 23 Sep 2008 17:49:41 GMT Hoff 2008-09-23T17:49:41Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131377#M91182 (I can't figure this out from the manual!)<BR /><BR />An ANA/AUDIT/FULL/EVENT=LOGFAIL display contains lines labeled "Username:" and "User record:". I can select for "Username" via<BR />/SEL=USERNAME=whatever.<BR /><BR />How can I match on the "User record:" entry?<BR /><BR />TIA Tue, 23 Sep 2008 14:48:27 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131377#M91182 Jack Trachtman 2008-09-23T14:48:27Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131378#M91183 Can you post up a copy of the record where you're seeing this field with your ANALYZE /AUDIT /EVENT=LOGFAIL command? (I don't have that field visible within the command output I've just looked at from an OpenVMS Alpha V8.3 system. Which means I'm probably not looking in the same spot as you are, or I don't have the same LOGFAIL entries in the local SECURITY.AUDIT$JOURNAL database.) Tue, 23 Sep 2008 17:49:41 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131378#M91183 Hoff 2008-09-23T17:49:41Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131379#M91184 Attached is example Ana/Aud display Tue, 23 Sep 2008 19:07:59 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131379#M91184 Jack Trachtman 2008-09-23T19:07:59Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131380#M91185 <!--!*#-->Ok, that output would not from an ANALYZE/AUDIT with /EVENT=LOGFAIL. You would get it with /EVENT=SYSUAF.<BR /><BR />But to answer your question, back in the VMS 6.2 documention you will find these /SELECT keywords:<BR /><BR />UAF_ADD<BR />UAF_COPY<BR />UAF_DELETE<BR />UAF_MODIFY<BR />UAF_RENAME<BR />UAF_SOURCE<BR /><BR />They are still accepted with ANAL/AUDIT /SELECT- but they are no longer documented. I believe the reason for this is they never worked the way they should. Instead of fixing the bugs in this feature they just hid the feature.<BR /><BR />But see if this works for you:<BR /><BR />$ ANALYZE/AUDIT /FULL/EVENT=SYSUAF -<BR />/SELECT=UAF_SOURCE=REVKAH<BR /> Tue, 23 Sep 2008 20:06:50 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131380#M91185 Jess Goodman 2008-09-23T20:06:50Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131381#M91186 The other obvious question is: what are you up to here, in general terms? There may well be an alternative solution. (There was an interesting approach toward repelling ssh dictionary attacks posted out in c.o.v. recently, for instance.) Tue, 23 Sep 2008 22:19:44 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131381#M91186 Hoff 2008-09-23T22:19:44Z https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131382#M91187 My bad.<BR /><BR />The ANA/AUDIT interactive display is just not intuitively obvious to me, so I was using it incorrectly.<BR /><BR />Thanks for the help - it gave me the insight to see my error. Tue, 23 Sep 2008 22:29:51 GMT https://community.hpe.com/t5/operating-system-openvms/ana-audit-question/m-p/5131382#M91187 Jack Trachtman 2008-09-23T22:29:51Z