VMS Help  —  ANALYZE  /AUDIT
    The Audit Analysis utility (ANALYZE/AUDIT) processes event
    messages in security audit log files to produce reports of
    security-related events on the system.

    Format

      ANALYZE/AUDIT  [file-spec[,...]]

    file-spec[,...]

    Specifies one or more security audit log files as input to
    ANALYZE/AUDIT. If you specify more than one file name, separate
    the names with commas.

    If you omit the file-spec parameter, the utility searches for the
    default audit log file SECURITY.AUDIT$JOURNAL.

    The default audit log file is created in the SYS$COMMON:[SYSMGR]
    directory. To use the file, specify SYS$MANAGER on the
    ANALYZE/AUDIT command line. If you do not specify a directory,
    the utility searches for the file in the current directory.

    You can include wildcard characters, such as the asterisk (*)  or
    percent sign (%),  in the file specification.

    The audit log file can be located in any directory. To display
    the current location, use the DCL command SHOW AUDIT/ALL.

1  –  Qualifiers

    Qualifier      Description

    /BEFORE        Controls whether records dated earlier than the
                   specified time are selected
    /BINARY        Controls whether output is a binary file
    /BRIEF         Controls whether a brief, single-line record
                   format is used in ASCII displays
    /EVENT_TYPE    Selects the classes of events to be extracted from
                   the security log file
    /FULL          Controls whether a full format is used in ASCII
                   displays
    /IGNORE        Excludes records from the report that match the
                   specified criteria
    /INTERACTIVE   Controls whether interactive command mode is
                   enabled when ANALYZE/AUDIT is invoked
    /OUTPUT        Specifies where to direct output from
                   ANALYZE/AUDIT
    /PAUSE         Specifies the length of time each record is
                   displayed in a full format display
    /SELECT        Specifies the criteria for selecting records
    /SINCE         Indicates that the utility must operate on
                   records dated with the specified time or after
                   the specified time
    /SUMMARY       Specifies that a summary of the selected records
                   be produced after all records are processed

2    /BEFORE

    Controls whether records dated earlier than the specified time
    are selected.

    Format

      /BEFORE[=time]

      /NOBEFORE

    time

    Specifies the time used to select records. Records dated earlier
    than the specified time are selected. You can specify an absolute
    time, delta time, or a combination of the two. Observe the syntax
    rules for date and time described in the OpenVMS User's Manual.

2.1  –  Examples

    1.$ ANALYZE/AUDIT /BEFORE=25-NOV-2005 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records dated earlier
      than November 25, 2005.

    2.$ ANALYZE/AUDIT /BEFORE=14:00/SINCE=12:00 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records generated
      between noon and 2 P.M. today.

3    /BINARY

    Controls whether output is a binary file.

    Format

      /BINARY

      /NOBINARY

3.1  –  Example

  $ ANALYZE/AUDIT /BINARY/SINCE=TODAY/OUTPUT=25OCT05.AUDIT -
  _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all audit records generated
      today and writes the records in binary format to 25OCT05.AUDIT.

4    /BRIEF

    Controls whether a brief, single-line record format is used in
    ASCII displays.

    Format

      /BRIEF  (default)

4.1  –  Example

  $ ANALYZE/AUDIT /OUTPUT=AUDIT.LIS -
  _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example produces an ASCII file in brief
      format by default. The report is written to the AUDIT.LIS file.

5    /EVENT_TYPE

    Selects the classes of events to be extracted from the security
    log file. If you omit the qualifier or specify the ALL keyword,
    the utility includes all enabled event classes in the report.

    Format

      /EVENT_TYPE=(event-type[,...])

    event type[,...]

    Specifies the classes of events used to select records. You can
    specify any of the following event types:

    [NO]ACCESS         Access to an object, such as a file
    [NO]ALL            All event types
    [NO]AUDIT          Use of the SET AUDIT command
    [NO]AUTHORIZATION  Change to the authorization database
                       (SYSUAF.DAT, RIGHTSLIST.DAT, NETPROXY.DAT,
                       or NET$PROXY.DAT)
    [NO]BREAKIN        Break-in detection
    [NO]CONNECTION     Establishment of a network connection through
                       the System Management utility (SYSMAN),
                       DECwindows, or interprocess communication
                       (IPC) software
    [NO]CREATE         Creation of an object
    [NO]DEACCESS       Completion of access to an object
    [NO]DELETE         Deletion of an object
    [NO]INSTALL        Modification of the known file list with the
                       Install utility (INSTALL)
    [NO]LOGFAIL        Unsuccessful login attempt
    [NO]LOGIN          Successful login
    [NO]LOGOUT         Successful logout
    [NO]MOUNT          Execution of DCL commands MOUNT or DISMOUNT
    [NO]NCP            Modification of the DECnet network
                       configuration databases
    [NO]NETPROXY       Modification of the network proxy
                       authorization file (NETPROXY.DAT or
                       NET$PROXY.DAT)
    [NO]PRIVILEGE      Privilege auditing
    [NO]PROCESS        Use of one or more of the process control
                       system services: $CREPRC, $DELPRC, $SCHDWK,
                       $CANWAK, $WAKE, $SUSPND, $RESUME, $GRANTID,
                       $REVOKID, $GETJPI, $FORCEX, $SETPRI
    [NO]RIGHTSDB       Modification of the rights database
                       (RIGHTSLIST.DAT)
    [NO]SYSGEN         Modification of system parameters through the
                       System Generation utility (SYSGEN) or AUTOGEN
    [NO]SYSUAF         Modification of the system user authorization
                       file (SYSUAF.DAT)
    [NO]TIME           Change in system or cluster time

    Specifying the negated form of an event class (for example,
    NOLOGFAIL) excludes the specified event class from the audit
    report.

5.1  –  Examples

    1.$ ANALYZE/AUDIT/EVENT_TYPE=LOGFAIL -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example extracts all records of
      unsuccessful login attempts, which match the LOGFAIL class,
      and compiles a brief report.

    2.$ ANALYZE/AUDIT/EVENT_TYPE=(NOLOGIN,NOLOGOUT) -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example builds a report in brief format of
      all audit records except those in the LOGIN and LOGOUT event
      classes.

6    /FULL

    Controls whether a full format is used in ASCII displays. If you
    specify /NOFULL or omit the qualifier, records are displayed in
    the brief format.

    Format

      /FULL

      /NOFULL  (default)

6.1  –  Example

  $ ANALYZE/AUDIT /FULL -
  _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example displays the full contents of each
      selected record.

7    /IGNORE

    Excludes records from the report that match the specified
    criteria.

    Format

      /IGNORE=criteria[,...]

    criteria[,...]

    Specifies that all records are selected except those matching any
    of the specified exclusion criteria. See the /SELECT qualifier
    description for a list of the possible criteria to use with the
    /IGNORE qualifier.

8    /INTERACTIVE

    Controls whether interactive command mode is enabled when
    ANALYZE/AUDIT is invoked.

    Format

      /INTERACTIVE  (default)

      /NOINTERACTIVE

8.1  –  Examples

    1.$ ANALYZE/AUDIT/FULL -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example produces a full format display
      of the selected records. New records are displayed every 3
      seconds. (See the /PAUSE qualifier description to find how to
      modify the duration of each record display.) Press Ctrl/C to
      interrupt the display and to enter interactive commands.

    2.$ ANALYZE/AUDIT/FULL/NOINTERACTIVE -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example invokes the utility in
      noninteractive mode. It displays the first record selected and
      prompts you to press the Return key to display each additional
      selected record. Control returns to the DCL command level when
      all selected records have been displayed.

9    /OUTPUT

    Specifies where to direct output from ANALYZE/AUDIT. If you omit
    the qualifier, the report is sent to SYS$OUTPUT.

    Format

      /OUTPUT[=file-spec]

      /NOOUTPUT

    file-spec[,...]

    Specifies the name of the file that is to contain the selected
    records. If you omit the device and directory specification, the
    utility uses the current device and directory specification. If
    you omit the file name and type, the default file name AUDIT.LIS
    is used. If the output is binary (/BINARY) and you omit the
    /OUTPUT qualifier, the binary information is written to the file
    AUDIT.AUDIT$JOURNAL.

9.1  –  Example

  $ ANALYZE/AUDIT /BINARY/OUTPUT=BIN122588.DAT -
  _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects audit records from the
      system audit log file and writes them to the binary file
      BIN122588.DAT.

10    /PAUSE

    Specifies the length of time each record is displayed in a full-
    format display.

    Format

      /PAUSE=seconds

    seconds

    Specifies the duration (in seconds) of the full-screen display.
    A value of 0 specifies that the system should not pause before
    displaying the next record. By default, the utility displays a
    record for 3 seconds.

10.1  –  Example

  $ ANALYZE/AUDIT /FULL/PAUSE=1 -
  _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example displays a selected record in full
      format every second. You can interrupt the display and enter
      interactive commands at any time by pressing Ctrl/C.

11    /SELECT

    Specifies the criteria for selecting records from the audit log
    file. For a description of how to generate audit records, see the
    VSI OpenVMS Guide to System Security.

    Format

      /SELECT=criteria[,...]

      /NOSELECT

    criteria[,...]

    Specifies the criteria for selecting records. For each specified
    criterion, ANALYZE/AUDIT has two selection requirements:

    o  The packet corresponding to the criterion must be present in
       the record.

    o  One of the specified values must match the value in that
       packet.

    For example, if you specify (USER=(PUTNAM,WU),SYSTEM=DBASE) as
    the criteria, ANALYZE/AUDIT selects an event record containing
    the SYSTEM=DBASE packet and a USER packet with either the PUTNAM
    value or the WU value.

    If you omit the /SELECT qualifier, all event records selected
    through the /EVENT_TYPE qualifier are extracted from the audit
    log file and included in the report.

    You can specify any of the following criteria:

11.1  –  ACCESS

    ACCESS=(type,...)

    Specifies the type of object access upon which the selection
    is based. Access is object-specific and includes the following
    types:

    Associate  Execute   Read
    Control    Lock      Submit
    Create     Logical   Use
    Delete     Manage    Write
               Physical

    The VSI OpenVMS Guide to System Security describes each of these
    types.

11.2  –  ACCOUNT

    ACCOUNT=(name,...)

    Specifies the account name upon which selection is based. You can
    use wildcards, such as an asterisk (*) or percent sign (%), to
    represent all or part of the name.

11.3  –  ACCOUNT

    ACCOUNT=(name,...)

    Specifies the alarm journal name on which selection is based. You
    can use wildcards to represent all or part of the alarm name.

11.4  –  ASSOCIATION_NAME

    ASSOCIATION_NAME=(IPC-name,...)

    Specifies the name of the interprocess communication (IPC)
    association.

11.5  –  AUDIT_NAME

    AUDIT_NAME=(journal-name,...)

    Specifies the audit journal name on which selection is based. You
    can use wildcards to represent all or part of the audit journal
    name.

11.6  –  COMMAND_LINE

    COMMAND_LINE=(command,...)

    Specifies the command line that the user entered.

11.7  –  CONNECTION_IDENTIFICATION

    CONNECTION_IDENTIFICATION=(IPC-name,...)

    Specifies the name for the interprocess communication (IPC)
    connection.

11.8  –  DECNET_LINK_IDENTIFICATION

    DECNET_LINK_IDENTIFICATION=(value,...)

    Specifies the number of the DECnet logical link.

11.9  –  DECNET_OBJECT_NAME

    DECNET_OBJECT_NAME=(object-name,...)

    Specifies the name of the DECnet object.

11.10  –  DECNET_OBJECT_NUMBER

    DECNET_OBJECT_NUMBER=(value,...)

    Specifies the number of the DECnet object.

11.11  –  DEFAULT_USERNAME

    DEFAULT_USERNAME=(username,...)

    Specifies the default local user name for incoming network proxy
    requests.

11.12  –  DEVICE_NAME

    DEVICE_NAME=(device-name,...)

    Specifies the name of a device in audit records that have a
    DEVICE_NAME packet. Note that this does not select the device
    name when it occurs in other packet types, such as in a file name
    or in the TARGET_DEVICE_NAME packet.

11.13  –  DIRECTORY_ENTRY

    DIRECTORY_ENTRY=(directory,...)

    Specifies the directory entry associated with file system
    operation.

11.14  –  DIRECTORY_NAME

    DIRECTORY_NAME=(directory,...)

    Specifies the name of the directory file.

11.15  –  DISMOUNT_FLAGS

    DISMOUNT_FLAGS=(flag-name,...)

    Identifies the names of the volume dismounting flags to be used
    in selecting records. Specify one or more of the following flag
    names: Abort, Cluster, Nounload, and Unit.

11.16  –  EVENT_CLUSTER_NAME

    EVENT_CLUSTER_NAME=(event-flag-cluster-name,...)

    Specifies the name of the event flag cluster.

11.17  –  FACILITY

    FACILITY=(facility-name,...)

    Specifies that only events audited by the named facility be
    selected. Provide a name or a number but, in either case, the
    facility has to be defined through the logical AUDSERV$FACILITY_
    NAME as a decimal number; the system uses the number 0.

11.18  –  FIELD_NAME

    FIELD_NAME=(field-name,...)

    Specifies the name of the field that was modified. ANALYZE/AUDIT
    uses the FIELD_NAME criterion with packets containing the
    original data and the new data (specified by the NEW_DATA
    criterion).

    A FIELD_NAME is a character string that describes the content
    of the field. A search for "NEW:" in a full audit report will
    display records that contain the FIELD_NAME values that can be
    specified for this option. Examples of FIELD_NAME values are
    Account, Default Directory, Flags, and Password Date.

    For sensitive information, see SENSITIVE_FIELD_NAME.

11.19  –  FILE_NAME

    FILE_NAME=(file-name)

    Specifies the name of the file that caused the audit.
    Describes audit records for the specified file by using a
    slightly different display format than is provided by the
    /OBJECT=NAME=object-name keyword.

11.20  –  FILE_IDENTIFICATION

    FILE_IDENTIFICATION=(identification-value)

    Specifies the value of the file's identification. To calculate
    the value, start with the value listed for File ID when you use
    the FILE_NAME keyword. For example, the display lists the File ID
    as:

    File ID:   (3024,5,0)

    Use the following formula to calculate the value:

    (((0 * 65536) + 5)* 65536) + 3024 = 330704

11.21  –  FLAGS

    FLAGS=(flag-name,...)

    Identifies the names of the audit event flags associated with the
    audited event. These names should be used in selecting records.
    Specify one or more of the following flags: ACL, Alarm, Audit,
    Flush, Foreign, Internal, and Mandatory.

11.22  –  HOLDER

    HOLDER=keyword(,...)

    Specifies the characteristics of the identifier holder to be used
    when selecting event records. Choose from the following keywords:

    NAME=username          Specifies the name of the holder. You can
                           represent all or part of the name with a
                           wildcard.
    OWNER=uic              Specifies the user identification code
                           (UIC) of the holder.

11.23  –  IDENTIFIER

    IDENTIFIER=keyword(,...)

    Identifies which attributes of an identifier should be used when
    selecting event records. Choose from the following keywords:

    ATTRIBUTES=name        Specifies the name of the particular
                           attribute. Valid attribute names are as
                           follows: Dynamic, Holder_Hidden, Name_
                           Hidden, NoAccess, Resource, and Subsystem.

    NAME=identifier        Specifies the original name of the
                           identifier. You can represent all or part
                           of the name with a wildcard.

    NEW_NAME=identifier    Specifies the new name of the identifier.
                           You can represent all or part of the name
                           with a wildcard.

    NEW_ATTRIBUTES=name    Specifies the name of the new attribute.
                           Valid attribute names are Dynamic, Holder_
                           Hidden, Name_Hidden, NoAccess, Resource,
                           and Subsystem.

    VALUE=value            Specifies the original value of the
                           identifier.

    NEW_VALUE=value        Specifies the new value of the identifier.

11.24  –  IDENTIFIERS_MISSING

    IDENTIFIERS_MISSING=(identifier,...)

    Specifies the identifiers missing in a failure to access an
    object.

11.25  –  IDENTIFIERS_USED

    IDENTIFIERS_USED=(identifier,...)

    Specifies the identifiers used to gain access to an object. An
    event record matches if the specified list is a subset of the
    identifiers recorded in the event record.

11.26  –  IMAGE_NAME

    IMAGE_NAME=(image-name,...)

    Identifies the name of the image to be used when selecting event
    records. You can represent all or part of the image name with a
    wildcard.

11.27  –  INSTALL

    INSTALL=keyword(,...)

    Specifies that installation event packets are to be considered
    when selecting event records. Choose from the following keywords:

    FILE=filename          Specifies the name of the installed file.
                           You can represent all or part of the name
                           with a wildcard.

                           Note that on Alpha systems prior to
                           Version 6.1, audit log files record the
                           installed file name within an object
                           name packet. To select the installed
                           file, you must use the expression
                           OBJECT=(NAME=object-name) instead of
                           FILE=filename.

    FLAGS=flag-name        Specifies the names of the flags, which
                           correspond to qualifiers of the Install
                           utility (INSTALL); for example, OPEN
                           corresponds to /OPEN.

    PRIVILEGES=privilege-  Specifies the names of the privileges with
    name                   which the file was installed.

11.28  –  LNM_PARENT_NAME

    LNM_PARENT_NAME=(table-name,...)

    Specifies the name of the parent logical name table.

11.29  –  LNM_TABLE_NAME

    LNM_TABLE_NAME=(table-name,...)

    Specifies the name of the logical name table.

11.30  –  LOCAL

    LOCAL=(characteristic,...)

    Specifies the characteristics of the local (proxy) account to be
    used when selecting event records. The following characteristic
    is supported:

    USERNAME=username      Specifies the name of the local account.
                           You can represent all or part of the name
                           with a wildcard.

11.31  –  LOGICAL_NAME

    LOGICAL_NAME=(logical-name,...)

    Specifies the logical name of the mounted (or dismounted) volume
    upon which selection is based. You can represent all or part of
    the logical name with a wildcard.

11.32  –  MAILBOX_UNIT

    MAILBOX_UNIT=(number,...)

    Specifies the number of the mailbox unit.

11.33  –  MOUNT_FLAGS

    MOUNT_FLAGS=(flag-name,...)

    Specifies the names of the volume mounting flags upon which
    selection is based. Possible flag names include the following
    names:

       CACHE=(NONE,WRITETHROUGH)
       CDROM
       CLUSTER
       COMPACTION
       DATACHECK=(READ,WRITE)
       DSI
       FOREIGN
       GROUP
       INCLUDE
       INITIALIZATION=(ALLOCATE,CONTINUATION)
       MESSAGE
       NOASSIST
       NOAUTOMATIC
       NOCOMPACTION
       NOCOPY
       NOHDR3
       NOJOURNAL
       NOLABEL
       NOMOUNT_VERIFICATION
       NOQUOTA
       NOREBUILD
       NOUNLOAD
       NOWRITE
                                { ACCESSIBILITY    }
                                { EXPIRATION       }
                                { IDENTIFICATION   }
                                {                  }
                                { LIMITED_SEARCH   }
       OVERRIDE=(options[,...]) { LOCK             }
                                { NO_FORCED_ERROR  }
                                {                  }
                                { OWNER_IDENTIFIER }
                                { SECURITY         }
                                { SETID            }
                                {                  }
       POOL
       QUOTA
       SHARE
       SUBSYSTEM
       SYSTEM
       TAPE_DATA_WRITE
       XAR

    The names NOLABEL and FOREIGN each point to the FOREIGN
    flag. The reason for this is that the MOUNT/NOLABEL
    and MOUNT/FOREIGN commands each set the FOREIGN flag.
    Therefore, if you used MOUNT/NOLABEL, and you use
    ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will
    display the FOREIGN flag.

11.34  –  NEW_DATA

    NEW_DATA=(value,...)

    Specifies the value to use after the event occurs. Use this
    criterion with the FIELD_NAME criterion.

    When you use the Authorize utility (AUTHORIZE) to copy a user
    name, NEW_DATA specifies the newly created user name.

    For sensitive information, see SENSITIVE_NEW_DATA.

11.35  –  NEW_IMAGE_NAME

    NEW_IMAGE_NAME=(image-name,...)

    Specifies the name of the image to be activated in the newly
    created process, as supplied to the $CREPRC system service.

11.36  –  NEW_OWNER

    NEW_OWNER=(uic,...)

    Specifies the user identification code (UIC) to be assigned to
    the created process, as supplied to the $CREPRC system service.

11.37  –  OBJECT

    OBJECT=keyword(,...)

    Specifies which characteristics of an object should be used when
    selecting event records. Choose any of the following keywords:

    CLASS=class-name       Specifies the general object class as one
                           of the following classes:

                           Capability
                           Device
                           Event_cluster
                           File
                           Group_global_section
                           Logical_name_table
                           Queue
                           Resource_domain
                           Security_class
                           System_global_section
                           Volume

                           You must enter the full class name (for
                           example, CLASS=logical_name_table) or use
                           wildcard characters to supply a portion of
                           the class name (for example, CLASS=log*).

    NAME=object-name       Specifies the name of the object. You can
                           represent all or part of the name with a
                           wildcard. If you do not use a wildcard,
                           specify the full object name (for example,
                           BOSTON$DUA0:[RWOODS]MEMO.MEM;1).

    OWNER=value            Specifies the UIC or general identifier of
                           the object.

    TYPE=type              Specifies the general object class (type
                           of object). The available classes are as
                           follows:

                           Capability
                           Device
                           File
                           Group_global_section
                           Logical_name_table
                           Queue
                           System_global_section

                           The CLASS keyword supersedes the TYPE
                           keyword. However, TYPE is required to
                           select audit records in files created
                           prior to OpenVMS Alpha Version 6.1.

11.38  –  PARENT

    PARENT=keyword(,...)

    Specifies which characteristics of the parent process are used
    when selecting event records generated by a subprocess. Choose
    from the following keywords:

    IDENTIFICATION=value   Specifies the process identifier (PID) of
                           the parent process.

    NAME=process-name      Specifies the name of the parent process.
                           You can represent all or part of the name
                           with a wildcard.

    OWNER=value            Specifies the owner (identifier value) of
                           the parent process.

    USERNAME=username      Specifies the user name of the parent
                           process. You can represent all or part of
                           the name with a wildcard.

11.39  –  PASSWORD

    PASSWORD=(password,...)

    Specifies the password used when the system detected a break-in
    attempt.

11.40  –  PRIVILEGES_MISSING

    PRIVILEGES_MISSING=(privilege-name,...)

    Specifies privileges the caller needed to perform the operation
    successfully. Specify any of the system privileges, as described
    in the VSI OpenVMS Guide to System Security.

11.41  –  PRIVILEGES_USED

    PRIVILEGES_USED=(privilege-name,...)

    Specifies the privileges of the process to be used when selecting
    event records. Specify any of the system privileges, as described
    in the VSI OpenVMS Guide to System Security. Also include the
    STATUS keyword in the selection criteria so the report can
    demonstrate whether the privilege was involved in a successful
    or an unsuccessful operation.

11.42  –  PROCESS

    PROCESS=(characteristic,...)

    Specifies the characteristics of the process to be used
    when selecting event records. Choose from the following
    characteristics:

    IDENTIFICATION=value   Specifies the PID of the process.

    NAME=process-name      Specifies the name of the process. You can
                           represent all or part of the name with a
                           wildcard.

11.43  –  REMOTE

    REMOTE=keyword(,...)

    Specifies that some characteristic of the network request is to
    be used when selecting event records. Choose from the following
    keywords:

    ASSOCIATION_NAME=IPC-name   Specifies the interprocess
                                communication (IPC) association name.

    LINK_IDENTIFICATION=value   Specifies the number of the DECnet
                                logical link.

    IDENTIFICATION=value        Specifies the DECnet node address.

    NODENAME=node-name          Specifies the DECnet node name. You
                                can represent all or part of the name
                                with a wildcard.

    USERNAME=username           Specifies the remote user name. You
                                can represent all or part of the
                                remote user name with a wildcard.

11.44  –  REQUEST_NUMBER

    REQUEST_NUMBER=(value,...)

    Specifies the request number associated with the DCL command
    REQUEST/REPLY.

11.45  –  SECTION_NAME

    SECTION_NAME=(global-section-name,...)

    Specifies the name of the global section.

11.46  –  SENSITIVE_FIELD_NAME

    SENSITIVE_FIELD_NAME=(field-name,...)

    Specifies the name of the field that was modified. ANALYZE/AUDIT
    uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with
    packets containing the original data and the new data (specified
    by the SENSITIVE_NEW_DATA criterion).

11.47  –  SENSITIVE_NEW_DATA

    SENSITIVE_NEW_DATA=(value,...)

    Specifies the value to use after the event occurs. Use this
    criterion with the SENSITIVE_FIELD_NAME criterion.

11.48  –  SNAPSHOT_BOOTFILE

    SNAPSHOT_BOOTFILE=(filename,...)

    Specifies the name of the file containing a snapshot of the
    system.

11.49  –  SNAPSHOT_SAVE_FILENAME

    SNAPSHOT_SAVE_FILENAME=(filename,...)

    Specifies the name of the system snapshot file for a save
    operation that is in progress.

11.50  –  STATUS

    STATUS=(type,...)

    Specifies the type of success status to be used when selecting
    event records. Choose from the following status types:

    SUCCESSFUL             Specifies any success status.
    FAILURE                Specifies any failure status.
    CODE=(value)           Specifies a specific completion status.

    Note that if you specify CODE more than once, only the last value
    is matched.

11.51  –  SUBJECT_OWNER

    SUBJECT_OWNER=(uic,...)

    Specifies the owner (UIC) of the process causing the event.

11.52  –  SUBTYPE

    SUBTYPE=(subtype,...)

    Specifies that the criteria be limited to the value or values
    specified as a subtype. The following table lists events and
    their related subtypes. After SUBTYPE, enter the subtypes as they
    appear in the list-for example, SUBTYPE=ALARM_STATE. (In other
    words, do not enter a prefix.)

    Symbols for Event Types
    and Subtypes              Meaning

    NSA$C_MSG_AUDIT           Systemwide change to auditing
          ALARM_STATE         Events enabled as alarms
          AUDIT_DISABLED      Audit events disabled
          AUDIT_ENABLED       Audit events enabled
          AUDIT_INITIATE      Audit server startup
          AUDIT_LOG_FIRST     First entry in audit log (backward
                              link)
          AUDIT_LOG_FINAL     Final entry in audit log (forward link)
          AUDIT_STATE         Events enabled as audits
          AUDIT_TERMINATE     Audit server shutdown
          SNAPSHOT_ABORT*     System snapshot attempt has aborted
          SNAPSHOT_ACCESS*    Snapshot file access/deaccess
          SNAPSHOT_SAVE*      System snapshot save in progress
          SNAPSHOT_STARTUP*   System booted from a snapshot file

          * Obsolete as of OpenVMS Version 7.1

    NSA$C_MSG_BREAKIN         Break-in attempt detected
          BATCH               Batch process
          DETACHED            Detached process
          DIALUP              Dialup interactive process
          LOCAL               Local interactive process
          NETWORK             Network server task
          REMOTE              Interactive process from another
                              network node
          SUBPROCESS          Subprocess

    NSA$C_MSG_CONNECTION      Logical link connection or termination
          CNX_ABORT           Connection aborted
          CNX_ACCEPT          Connection accepted
          CNX_DECNET_CREATE   DECnet logical link created
          CNX_DECNET_DELETE   DECnet logical link disconnected
          CNX_DISCONNECT      Connection disconnected
          CNX_INC_ABORT       Incoming connection request aborted
          CNX_INC_ACCEPT      Incoming connection request accepted
          CNX_INC_DISCONNECT  Incoming connection disconnected
          CNX_INC_REJECT      Incoming connection request rejected
          CNX_INC_REQUEST     Incoming connection request
          CNX_IPC_CLOSE       Interprocess communication association
                              closed
          CNX_IPC_OPEN        Interprocess communication association
                              opened
          CNX_REJECT          Connection rejected
          CNX_REQUEST         Connection requested

    NSA$C_MSG_INSTALL         Use of the Install utility (INSTALL)
          INSTALL_ADD         Known image installed
          INSTALL_REMOVE      Known image deleted

    NSA$C_MSG_LOGFAIL         Login failure
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_LOGIN           Successful login
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_LOGOUT          Successful logout
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_MOUNT           Volume mount or dismount
          VOL_DISMOUNT        Volume dismount
          VOL_MOUNT           Volume mount

    NSA$C_MSG_NCP             Modification to network configuration
                              database
          NCP_COMMAND         Network Control Program (NCP) command
                              issued

    NSA$C_MSG_NETPROXY        Modification to network proxy database
          NETPROXY_ADD        Record added to network proxy
                              authorization file
          NETPROXY_DELETE     Record removed from network proxy
                              authorization file
          NETPROXY_MODIFY     Record modified in network proxy
                              authorization file

    NSA$C_MSG_OBJ_ACCESS      Object access attempted
          OBJ_ACCESS          Access attempted to create, delete, or
                              deaccess an object

    NSA$C_MSG_OBJ_CREATE      Object creation attempted
          OBJ_CREATE          Access attempted to create an object

    NSA$C_MSG_OBJ_DEACCESS    Object deaccessed
          OBJ_DEACCESS        Attempt to complete access to an object

    NSA$C_MSG_OBJ_DELETE      Object deletion attempted
          OBJ_DELETE          Object deletion attempted

    NSA$C_MSG_PROCESS         Process controlled through a system
                              service
          PRC_CANWAK          Process wakeup canceled
          PRC_CREPRC          Process created
          PRC_DELPRC          Process deleted
          PRC_FORCEX          Process exit forced
          PRC_GETJPI          Process information gathered
          PRC_GRANTID         Process identifier granted
          PRC_RESUME          Process resumed
          PRC_REVOKID         Process identifier revoked
          PRC_SCHDWK          Process wakeup scheduled
          PRC_SETPRI          Process priority altered
          PRC_SIGPRC          Process exception issued
          PRC_SUSPND          Process suspended
          PRC_TERM            Process termination notification
                              requested
          PRC_WAKE            Process wakeup issued

    NSA$C_MSG_PRVAUD          Use of privilege
          PRVAUD_FAILURE      Unsuccessful use of privilege
          PRVAUD_SUCCESS      Successful use of privilege

    NSA$C_MSG_RIGHTSDB        Modification to the rights database
          RDB_ADD_ID          Identifier added to rights database
          RDB_CREATE          Rights database created
          RDB_GRANT_ID        Identifier granted to user
          RDB_MOD_HOLDER      List of identifier holders modified
          RDB_MOD_ID          Identifier name or attributes modified
          RDB_REM_ID          Identifier removed from rights database
          RDB_REVOKE_ID       Identifier taken away from user

    NSA$C_MSG_SYSGEN          Use of the System Generation utility
                              (SYSGEN)
          SYSGEN_SET          System parameter modified

    NSA$C_MSG_SYSTIME         Modification to system time
          SYSTIM_SET          System time set
          SYSTIM_CAL          System time calibrated

    NSA$C_MSG_SYSUAF          Modification to system user
                              authorization file (SYSUAF)
          SYSUAF_ADD          Record added to system user
                              authorization file
          SYSUAF_COPY         Record added to system user
                              authorization file
          SYSUAF_DELETE       Record deleted from system user
                              authorization file
          SYSUAF_MODIFY       Record modified in system user
                              authorization file
          SYSUAF_RENAME       Record renamed in system user
                              authorization file

11.53  –  SYSTEM

    SYSTEM=keyword(,...)

    Specifies the characteristics of the system to be used when
    selecting event records. Choose from the following keywords:

    IDENTIFICATION=value   Specifies the numeric identification of
                           the system.
    NAME=nodename          Specifies the node name of the system.

11.54  –  SYSTEM_SERVICE_NAME

    SYSTEM_SERVICE_NAME=(service-name,...)

    Specifies the name of the system service associated with the
    event.

11.55  –  TARGET_DEVICE_NAME

    TARGET_DEVICE_NAME=(device-name,...)

    Specifies the target device name used by a process control system
    service.

11.56  –  TARGET_PROCESS_IDENTIFICATION

    TARGET_PROCESS_IDENTIFICATION=(value,...)

    Specifies the target process identifier (PID) used by a process
    control system service.

11.57  –  TARGET_PROCESS_NAME

    TARGET_PROCESS_NAME=(process-name,...)

    Specifies the target process name used by a process control
    system service.

11.58  –  TARGET_PROCESS_OWNER

    TARGET_PROCESS_OWNER=(uic,...)

    Specifies the target process owner (UIC) used by a process
    control system service.

11.59  –  TARGET_USERNAME

    TARGET_USERNAME=(username,...)

    Specifies the target user name used by a process control system
    service.

11.60  –  TERMINAL

    TERMINAL=(device-name,...)

    Specifies the name of the terminal to be used when selecting
    event records. You can represent all or part of the terminal name
    with a wildcard.

11.61  –  TRANSPORT_NAME

    TRANSPORT_NAME=(transport-name,...)

    Specifies the name of the transport: interprocess communication
    (IPC) or System Management Integrator (SMI), which handles
    requests from the System Management utility.

    On VAX systems, it also can specify the DECnet transport name
    (NSP).

11.62  –  UAF_SOURCE

    UAF_SOURCE=(record-name,...)

    Specifies the user name of the source record for an Authorize
    utility (AUTHORIZE) add, modify, or delete operation.

11.63  –  USERNAME

    USERNAME=(username,...)

    Specifies the user name to be used when selecting event records.
    You can represent all or part of the user name with a wildcard.

11.64  –  VOLUME_NAME

    VOLUME_NAME=(volume-name,...)

    Specifies the name of the mounted (or dismounted) volume to be
    used when selecting event records. You can represent all or part
    of the volume name with a wildcard.

11.65  –  VOLUME_SET_NAME

    VOLUME_SET_NAME=(volume-set-name,...)

    Specifies the name of the mounted (or dismounted) volume set to
    be used when selecting event records. You can represent all or
    part of the volume set name with a wildcard.

11.66  –  Examples

    1.$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records written to the
      security audit log file that were generated by user JOHNSON.

    2.$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
      _$ BYPASS)  SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records written to the
      security audit log file that were generated by events through
      the use of either SYSPRV or BYPASS privilege.

12    /SINCE

    Indicates the utility must operate on records dated with the
    specified time or after the specified time.

    Format

      /SINCE[=time]

      /NOSINCE

    time

    Specifies the time used to select records. Records dated the
    same or later than the specified time are selected. You can
    specify an absolute time, a delta time, or a combination of the
    two. Observe the syntax rules for date and time described in the
    OpenVMS User's Manual.

    If you specify /SINCE without the time, the utility uses the
    beginning of the current day.

12.1  –  Examples

    1.$ ANALYZE/AUDIT /SINCE=25-NOV-2005 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects records dated later than
      November 25, 2005.

    2.$ ANALYZE/AUDIT /SINCE=25-NOV-2005:15:00 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects records written after 3
      P.M. on November 25, 2005.

13    /SUMMARY

    Specifies that a summary of the selected records be produced
    after all records are processed.

    Note that the /SUMMARY qualifier code is executed after the
    Audit Analyzer is finished, that is, after all the records to be
    analyzed have been collected and processed. When you specify the
    /INTERACTIVE qualifier (which is the default), the Audit Analyzer
    never reaches the finished state because /INTERACTIVE prompts you
    repeatedly to enter another command (which might result in a new
    set of records to be analyzed).

    To use the /SUMMARY qualifier, you must also specify
    /NOINTERACTIVE, which ensures that the Audit Analyzer reaches
    the finished state that allows the SUMMARY code to be executed
    and to display the proper information. In a future version of
    OpenVMS, the Audit Analyzer will return an error when /SUMMARY
    and /INTERACTIVE are specified together.

    You can use the /SUMMARY qualifier alone or in combination with
    the /BRIEF, the /BINARY, or the /FULL qualifier.

    Format

      /SUMMARY=presentation

      /NOSUMMARY

    presentation

    Specifies the presentation of the summary. If you do not specify
    a presentation criterion, ANALYZE/AUDIT summarizes the number of
    audits.

    You can specify either of the following presentations:

    COUNT

    Lists the total number of audit messages for each class of
    security event that have been extracted from the security audit
    log file. This is the default.

    PLOT

    Displays a plot showing the class of the audit event, the time
    of day when the audit was generated, and the name of the system
    where the audit was generated.

13.1  –  Examples

    1.$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example generates a summary report of all
      records processed.

        Total records read:        9701          Records selected:          9701
        Record buffer size:        1031
        Successful logins:          542          Object creates:            1278
        Successful logouts:         531          Object accesses:           3761
        Login failures:              35          Object deaccesses:         2901
        Breakin attempts:             2          Object deletes:             301
        System UAF changes:          10          Volume (dis)mounts:          50
        Rights db changes:            8          System time changes:          0
        Netproxy changes:             5          Server messages:              0
        Audit changes:                7          Connections:                  0
        Installed db changes:        50          Process control audits:       0
        Sysgen changes:               9          Privilege audits:            91
        NCP command lines:          120

    2.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example generates a full format listing
      of all logged audit messages that match the break-in or log
      failure event classes. A summary report is included at the end
      of the listing.

    3.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      This command generates a histogram that you can display on a
      character-cell terminal.
Close Help