Using sat_select

Using sat_select

The sat_select utility is a character-based program that modifies your audit event type selections. Additionally, you can use the sat_select utility to change your local default auditing environment or to read in a preselected set of event type choices from a file. In this way, you can have several preset auditing environments ready in files for various situations and switch between them conveniently. If you have a graphical system, satconfig is the suggested utility for administering your auditing event type selections. sat_select exists for non-graphics systems and for making large-scale, file-oriented changes.

For complete information on using sat_select, consult the sat_select(1M) reference page, but in general, the syntax most often used is

sat_select -on event

and

sat_select -off event

sat_select -on event directs the system audit trail to collect records describing the given event. If "all" is given as the event string, all event types are collected.

sat_select -off event directs the system to stop collecting information on that event type. If "all" is given as the event string, all event types are ignored.

sat_select issued with no arguments lists the audit events currently being collected. The effect of subsequent sat_select programs is cumulative. Help is available through the -h option.