Veritas NetBackup™ Commands Reference Guide
- Appendix A. NetBackup Commands
nbauditreport — Generate and view an audit report
-sdate "MM/DD/YY [HH:[MM[:SS]]]" [-edate "MM/DD/YY [HH:[MM[:SS]]]" -ctgy [POLICY | JOB | STU | STORAGESRV | POOL | AUDITCFG | AUDITSVC | BPCONF | HOLD | USER | AZFAILURE | CATALOG | TOKEN | CERT | SEC_CONFIG | LOGIN | HOST | CONNECTION] -user username[:domainname] -fmt [SUMMARY | DETAIL | PARSABLE] [-notruncate] [-pagewidth NNN] [-order [DTU | DUT | TDU | TUD | UDT | UTD]]
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/admincmd/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\admincmd\
The nbauditreport command lets you create and view a NetBackup audit report.
When auditing is configured in a NetBackup environment, the following user-initiated actions in NetBackup are recorded and available to view in an audit report:
Actions that change the NetBackup configuration. Examples are policy creation, deletion, and modification, and changing the audit settings.
Actions that change NetBackup run-time objects. These actions include initiating a restore job and starting or stopping the audit service.
This command only creates and displays the audit report. You must use the nbemmcmd -changesetting -AUDIT ENABLED and nbemmcmd -changesetting -AUDIT DISABLED commands to enable and disable auditing itself.
For more about auditing and audit reports, see the NetBackup Administrator's Guide, Volume I and NetBackup Security and Encryption Guide.
- -ctgy [POLICY | JOB | STU | STORAGESRV | POOL | AUDITCFG | AUDITSVC | BPCONF | HOLD | USER | AZFAILURE | CATALOG | TOKEN | CERT | SEC_CONFIG | LOGIN | HOST | CONNECTION]
Specifies the type of information to be displayed in the audit report. The audit function records and displays information on the use-initiated actions for the pertinent area (job, pool, etc.). The following are the possible values for this option and the items that are audited for each value:
POLICY - Adding, deleting, or updating policy attributes, clients, schedules, and backup selections lists.
JOB - job changes
STU - storage unit changes
STORAGESRV - storage server information
POOL - disk storage pool changes
AUDITCFG - auditing configuration changes
AUDITSVC - starting and stopping the NetBackup Audit service (nbaudit)
BPCONF - changes to the
bp.conffile (UNIX only).
HOLD - create, modify, and delete hold operations.
USER - adding or deleting users
AZFAILURE - authorization failures
CATALOG - verifying and expiring images; and reading front-end usage data
TOKEN - authorization tokens
CERT - certificate deployment
SEC_CONFIG - changes made to the security configuration settings
LOGIN - logon attempts
HOST - NetBackup host database-related operations
CONNECTION - dropped host connections
The default condition, when none of the options are specified, is to display the audit report of all categories.
- -fmt [SUMMARY | DETAIL | PARSABLE]
Specifies the output format of the audit report.
SUMMARY is the default condition (no option used). The audit report is a summary only. It displays the audit report in columnar format using the description, user, and timestamp headings.
DETAIL displays a comprehensive list of auditing information. For example, when a policy is changed, this view lists the name of the attribute, the old value, and the new value.
PARSABLE displays the same set of information as the DETAIL report but in a parsable format. The report uses the pipe character (|) as a separator of the audit data. Use keywords available with the report (DESCRIPTION, ACTION, OLDV, NEWV, etc.) to parse the audit record.
The parsable report contains the following fields:
DESCRIPTION. The details of the action that was performed. The details include the new values that are given to a modified object and the new values of all attributes for a newly created object. The details also show any deleted objects.
TIMESTAMP. The time that the action occurred. The time is displayed in Coordinated Universal Time (UTC) and is indicated in seconds.
CATEGORY. The category of user action that was performed. Categories such as POLICY may contain several sub-categories such as schedules or backup selections. Any modifications to a sub-category are listed as a modification to the primary category. The categories are as follows:
AUDITCFG - Auditing configuration changes
AUDITSVC - Starting and stopping the NetBackup Audit service (nbaudit)
BPCONF - Changes to the bp.conf file (UNIX only)
HOLD - Create, modify, and delete hold operations.
JOB - Job changes such as cancelations or deletions
POLICY - Modification to policy attributes, clients, schedules, or backup selections
POOL - Disk storage pool changes
STORAGESRV - Storage server creation, modification, or deletion
STU - Storage unit creation, modification, or deletion
USER - Adding or deleting users
AZFAILURE - Requests that fail authorization checks
CATALOG - Verifying and expiring images; and reading front-end usage data
TOKEN - Creating, deleting, and cleanup of tokens and specific token issuing failures
CERT - Creating, revoking, renewing, and deploying of certificates and specific certificate failures
SEC_CONFIG - Information that is related to changes that are made to the security configuration settings
LOGIN - The success and failure that is related to NetBackup Administration Console and NetBackup API logon attempts.
HOST - Information that is related to NetBackup host database operations.
CONNECTION - Information about the dropped host connections.
ACTION. The activity that was performed. The following actions are possible for all categories: Detailed descriptions of the specific activities that are performed for each action are found in the DESCRIPTIONS and the DETAILS fields of the command output.
REASON. Reason that is given for the performed action if any. If the audit reason for host and host ID-to-host name mapping operations contains more than 512 characters, the reason text is truncated to 512 characters.
DETAILS. Detailed information on the activity that is separated into attributes (ATTR_num), each with a descriptive name followed by OLDV/NEWV (old value/new value) pair.
Example for a policy deletion: ATTR_1: Policy Type OLDV: Standard NEWV:
Displays the old and new values of a changed attribute on separate lines in the details section of the report. This option is used with the -fmt DETAIL option.
- -order [DTU | DUT | TDU | TUD | UDT | UTD]
Specifies the order in which the information is displayed in the parsable format of the audit report. This option can be used only with the -fmt PARSABLE option. The D, T, and U designators represent the following:
D - description
T - timestamp
U - user
- -pagewidth NNN
Specifies the page width for the details section of the audit report. This option is used with the -fmt DETAIL option.
- -sdate mm/dd/yyyy-hh:mm:ss | mm/dd-hh:mm -edate mm/dd/yyyy-hh:mm:ss | mm/dd-hh:mm
Sets the start date-time (-sdate) or the end date-time (-edate) of the audit report data that you want to view. No time indication is necessary.
If the start date is specified and the end date is not, the displayed audit data is from the specified start time to the present. If the end date is specified and the start date is not, the displayed audit data is up to the end date.
- -user username[:domainname]
Indicates the name of the user for whom you want to display audit information.
Example 1 - Display all audit events that are reported from April 1, 2013 to the present.
# nbauditreport -sdate 04/01/13 USER DESCRIPTION TIMESTAMP Admin@entry Schedule 'test1' was added to Policy 'test1' 04/06/13 Admin@entry Audit setting(s) of master server 'server1' were modified 04/06/13 Admin@entry Audit setting(s) of master server 'server1' were modified 04/06/13 sys@server1 The nbaudit service on master server 'server1' was started 04/06/13 sys@server1 The nbaudit service on master server 'server1' was stopped 04/06/13 sys@server1 The nbaudit service on master server 'server1' was started 04/06/13 Audit records fetched: 7
Example 2 - Display a detailed audit report for when Joe modified a set of policy attributes. Because the policy was changed only one time since 6/8/13, one audit record is retrieved.
# nbauditreport -fmt DETAIL -ctgy POLICY -sdate 6/8/13 DESCRIPTION: Attributes of Policy 'pol_stugrp' were modified USER: joe TIMESTAMP: 06/08/2013 19:14:25 CATEGORY: POLICY ACTION: MODIFY DETAILS: ATTRIBUTE OLD VALUE NEW VALUE 1 Proxy Client 2 Residence stu_grp 3 Collect TIR info 2 0 4 Checkpoint Restart 0 1 5 Checkpoint Interval 0 15 6 Data Mover Type 2 -1 7 Collect BMR Info 1 0 8 Policy Generation 1 2 Audit records fetched: 1
The DETAILS entry shows the old value and new value of all the attributes that Joe changed.
Example 3 - Display an audit report for all hold operations that were performed since August 30, 2013.
# nbauditreport -ctgy HOLD -sdate "08/30/13 22:46:50" -fmt DETAIL DESCRIPTION: Hold with hold name test hold for report1 is created USER: firstname.lastname@example.org TIMESTAMP: 08/30/13 22:47:56 CATEGORY: HOLD ACTION: CREATE REASON: DETAILS: ATTRIBUTE OLD VALUE NEW VALUE 1 On-hold image list nakul2.mydomain.co DESCRIPTION: Hold with hold name test hold for report1 is created USER: email@example.com TIMESTAMP: 08/30/13 22:47:54 CATEGORY: HOLD ACTION: CREATE REASON: Audit records fetched: 2