This is an archive of past FreeBSD releases; it's part of the FreeBSD Documentation Archive.
Events written by the kernel audit subsystem cannot
be altered or read in plain text. Data is stored and accessed
in a method similar to that of ktrace(1) and kdump(1),
that is, they may only be viewed by dumping them using the
praudit command; audit trails may be reduced
auditreduce command, which selects
records from an audit trail based on properties of interest, such
as the user, time of the event, and type of operation.
For example, the
praudit utility will dump the
entire contents of a specified audit log in plain text. To dump an
audit log in its entirety, use:
AUDITFILE is the audit log
of viewing choice. Since audit logs may contain enormous
amounts of data, an administrator may prefer to select records
for specific users. This is made possible with the following
trhodes is the user of
auditreduce -e trhodes /var/audit/AUDITFILE | praudit
This will select all audit records produced by the user
trhodes stored in the
There are several other options available for reading audit records, see the aforementioned command's manual pages for a more in depth explanation.
Due to log reliability requirements, audit trails
are written to only by the kernel, and managed only by
auditd. Administrators should not
attempt to use newsyslog.conf(5) or other tools to
directly rotate audit logs. Instead, the
management tool should be used to shut down auditing,
reconfigure the audit system, and perform log rotation.
The following command causes the audit daemon to create a
new audit log and signal the kernel to switch to using the
new log. The old log will be terminated and renamed, at
which point it may then be manipulated by the administrator.
auditd daemon is not currently
running, the previous command will fail and an error message
will be produced.
Adding the following line to
/etc/crontab will force the rotation
every twelve hours from cron(8):
* */12 * * * root /usr/sbin/audit -n
The change will take effect once you have saved the
By default, only the root user has the right to read system audit
logs. However, that right may be delegated to members of the
audit group, as the audit directory and audit
trail files are assigned to that group, and made group-readable. As
the ability to track audit log contents provides significant insight
into the behavior of users and processes, it is recommended that the
delegation of audit review rights be performed with caution.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.