HPE Community
Operating System - HP-UX
1834145 Members
1882 Online
110064 Solutions
New Discussion

sam log event codes

 
kirk_11
Occasional Advisor

‎07-17-2003 03:12 AM

‎07-17-2003 03:12 AM

sam log event codes

I am using sam and have set it up to log a lot of events. I can use the audisp command to view all of the logs. What I need is some sort of key or cross reference so that I can match the "EVENT" code to some meaningful explination of what was logged. Dows anyone know of any such "EVENT" matrix or cross refenence?
Thanks,
Kirk
don't follow me, I'm lost too...
0 Kudos
Reply
4 REPLIES 4
Pete Randall
Outstanding Contributor

‎07-17-2003 03:16 AM

‎07-17-2003 03:16 AM

Re: sam log event codes

Kirk,

From the man page for audisp:

"-e eventname Display audit information of the specified event types.
The defined event types are admin, close, create,
delete, ipcclose, ipccreat, ipcdgram, ipcopen, login,
modaccess, moddac, open, process, readdac, removable,
uevent1, uevent2, and uevent3 (see audevent(1M))."


Is this what you mean?


Pete


Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-17-2003 03:19 AM

‎07-17-2003 03:19 AM

Re: sam log event codes

Kirk,

Also (as it says) see man audevent(1M).


Pete


Pete
0 Kudos
Reply
kirk_11
Occasional Advisor

‎07-17-2003 03:22 AM

‎07-17-2003 03:22 AM

Re: sam log event codes

Pete,
Not exactly... When I view the logs using audisp, I get a bunch of cryptic information including: TIME, PID, E, EVENT, PPID and etc...
What I want to know is how to know exaclty what triggered this log entry. I thought that the EVENT tag in the entry would somehow be able to be crossreferenced to some explanation (in plain language) of what happened.
Thanks,
Kirk
don't follow me, I'm lost too...
0 Kudos
Reply
Ollie R
Respected Contributor

‎07-17-2003 03:42 AM

‎07-17-2003 03:42 AM

Re: sam log event codes

Hi Kirk,

Please refer to the following 2 files:

/usr/conf/sys/scall_define.h

/usr/conf/sys/audit.h

The first file can be used as a direct x-ref for all event codes below 1000.

The second file can be used to x-ref all other event codes. These are ADMIN codes and must be converted between HEX and DEC to get the correct translation.

E.g: Event "10244" (DECIMAL) in "audisp" translates to "024004" (OCTAL) in "audit.h".

Hope this helps,

Ollie.
To err is human but to not award points is unforgivable
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.