CONTENTS Title Page Copyright Page Preface ANALYZE/AUDIT DESCRIPTION 1 ANALYZE/AUDIT Command Line Format 2 Audit Analysis Utility Output 2.1 Brief Listing Format 2.2 Full Listing Format 2.3 Summary Report Format 2.4 Binary Output 3 How to Perform an Audit Analysis 3.1 Recognizing Common System Events 3.2 Performing a Periodic Audit Analysis 3.3 Performing a Detailed Audit Analysis 3.4 Using Interactive Mode Commands ANALYZE/AUDIT USAGE SUMMARY ANALYZE/AUDIT QUALIFIERS /BEFORE /BINARY /BRIEF /EVENT_TYPE /FULL /IGNORE /INTERACTIVE /OUTPUT /PAUSE /SELECT /SINCE /SUMMARY ANALYZE/AUDIT INTERACTIVE MODE COMMANDS CONTINUE DISPLAY EXIT HELP LIST NEXT FILE NEXT RECORD POSITION SHOW A Security Audit Message Format A.1 Audit Header Packet A.2 Audit Data Packets EXAMPLES AUD-1 Sample Brief Listing AUD-2 Sample Full Listing AUD-3 Sample Summary Output AUD-4 Spotting Suspicious Activity in the Audit Analysis Report AUD-5 A Full Format Audit Analysis Report AUD-6 Entering Interactive Command Mode FIGURES A-1 Audit Header Packet Format A-2 Audit Data Packet Format TABLES A-1 Audit Header Packet A-2 NSA$W_RECORD_TYPE Event Types A-3 Audit Record Subtypes A-4 Audit Data Packet A-5 NSA$W_PACKET_TYPE Data Types