System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Extracting Entries from the last 31 Days from /var/adm/sulog

SOLVED
Go to solution
Kennedy G. Doss
Regular Advisor

Extracting Entries from the last 31 Days from /var/adm/sulog

HP-UX SAs:

Could some one please give me some ideas? I need to extract some information for SOX Audit puposes from /var/adm/sulog file. I need to pick a particular user's "su" activities from this file, for the last 31 days. What is the best way to go about?

Thanks for your time, in advance.

-Kennedy
6 REPLIES
Pete Randall
Outstanding Contributor

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

It could be done with grep:

grep "user" /var/adm/sylog |grep "07/"

would give you all the entries for "user" for the month of July.


Pete

Pete
James R. Ferguson
Acclaimed Contributor

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

Hi Kennedy:

This should meet your needs. For simplicity, granularity is to whole days (without regard to hours and minutes). The year of the activity is assumed to be the current year, since the 'sulog' doesn't record a date with a year.

# cat ./sulog30
#!/usr/bin/perl
use strict;
use warnings;
use Time::Local;
my ( $fh, $mon, $mday, $time1, $time2 );
open( $fh, '<', '/var/adm/sulog' ) or die "Can't open sulog: $!\n";
$time1 = time();
while (<$fh>) {
( $mon, $mday ) = split "/", (split)[1];
$time2 = timelocal( 0, 0, 0, $mday, $mon - 1, (localtime)[5] );
print if ( ( $time1 - $time2 ) <= ( 60 * 60 * 24 * 31 ) );
}
1;

...simply run as:

# ./sulog30

Regards!

...JRF...
Kennedy G. Doss
Regular Advisor

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

Pete:

I use the grep option normally, myself. However, I am unsure of the output if there are entries for July 2009 and 2008. IF both these exist then my report may turn out to be inaccurate.

-kennedy
Kennedy G. Doss
Regular Advisor

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

James,

I get my output. Along with the output I get this message too:

"Day '29' out of range 1..28 at ./sulog31.pl line 10"

Does this mean that it is providing me with the output for only the last 28 days?

-Kennedy
Dennis Handly
Acclaimed Contributor

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

>IF both these exist then my report may turn out to be inaccurate.

Yes, you will get both. You could search for both this and the previous month. Then "simply" remove the everything up to the current month. Assuming you actually had activity in the previous and current months.
James R. Ferguson
Acclaimed Contributor
Solution

Re: Extracting Entries from the last 31 Days from /var/adm/sulog

Hi (again) Kennedy:

> I get my output. Along with the output I get this message too:
"Day '29' out of range 1..28 at ./sulog31.pl line 10"
Does this mean that it is providing me with the output for only the last 28 days?

No, this would happen for a February entry in a non-leap-year (as 2009 is). If you have truly not trimmed your 'sulog' since early 2008, then I would expect this to happen.

This is a warning and the remainder of the output is valid within the constraints I have described.

Regards!

...JRF...