VMS Help  —  ANALYZE  /AUDIT  /EVENT_TYPE
    Selects the classes of events to be extracted from the security
    log file. If you omit the qualifier or specify the ALL keyword,
    the utility includes all enabled event classes in the report.

    Format

      /EVENT_TYPE=(event-type[,...])

    event type[,...]

    Specifies the classes of events used to select records. You can
    specify any of the following event types:

    [NO]ACCESS         Access to an object, such as a file
    [NO]ALL            All event types
    [NO]AUDIT          Use of the SET AUDIT command
    [NO]AUTHORIZATION  Change to the authorization database
                       (SYSUAF.DAT, RIGHTSLIST.DAT, NETPROXY.DAT,
                       or NET$PROXY.DAT)
    [NO]BREAKIN        Break-in detection
    [NO]CONNECTION     Establishment of a network connection through
                       the System Management utility (SYSMAN),
                       DECwindows, or interprocess communication
                       (IPC) software
    [NO]CREATE         Creation of an object
    [NO]DEACCESS       Completion of access to an object
    [NO]DELETE         Deletion of an object
    [NO]INSTALL        Modification of the known file list with the
                       Install utility (INSTALL)
    [NO]LOGFAIL        Unsuccessful login attempt
    [NO]LOGIN          Successful login
    [NO]LOGOUT         Successful logout
    [NO]MOUNT          Execution of DCL commands MOUNT or DISMOUNT
    [NO]NCP            Modification of the DECnet network
                       configuration databases
    [NO]NETPROXY       Modification of the network proxy
                       authorization file (NETPROXY.DAT or
                       NET$PROXY.DAT)
    [NO]PRIVILEGE      Privilege auditing
    [NO]PROCESS        Use of one or more of the process control
                       system services: $CREPRC, $DELPRC, $SCHDWK,
                       $CANWAK, $WAKE, $SUSPND, $RESUME, $GRANTID,
                       $REVOKID, $GETJPI, $FORCEX, $SETPRI
    [NO]RIGHTSDB       Modification of the rights database
                       (RIGHTSLIST.DAT)
    [NO]SYSGEN         Modification of system parameters through the
                       System Generation utility (SYSGEN) or AUTOGEN
    [NO]SYSUAF         Modification of the system user authorization
                       file (SYSUAF.DAT)
    [NO]TIME           Change in system or cluster time

    Specifying the negated form of an event class (for example,
    NOLOGFAIL) excludes the specified event class from the audit
    report.

1  –  Examples

    1.$ ANALYZE/AUDIT/EVENT_TYPE=LOGFAIL -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example extracts all records of
      unsuccessful login attempts, which match the LOGFAIL class,
      and compiles a brief report.

    2.$ ANALYZE/AUDIT/EVENT_TYPE=(NOLOGIN,NOLOGOUT) -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example builds a report in brief format of
      all audit records except those in the LOGIN and LOGOUT event
      classes.
Close Help