|
The Question is:
Trying to find the authorization file modify information from audit log on user
XX:
$ analyze /audit sys$manager: /event=sysuaf
/select=username=*XX*
which seems to give me what XX did update (i.e. "What did XX do"). So far, so
good.
But what is the proper syntax to find out what events did update user XX in the
authorization file (i.e. "Who did that to XX")?
The Answer is :
The following appears to be the most direct approach, assuming that
you do not directly reduce the data in the auditing logs yourself:
$ ANALYZE /AUDIT /EVENT=SYSUAF /SELECT=UAF_SOURCE=XX /FULL file-spec
|
