On occasion I need to go through the eventlog to gather information about activities by a particular user on a particular system. When a user accesses root via Privilege Manager for Unix (QPM), the original user login is stored in an environment variable. The pmlog command allows queries based upon values of QPM variables, but is there a way to tailor a query based upon the contents of a particular environment variable?
You can use a command similar to the below:
# pmlog -c "'USER=root' in env"
Note: there is a double quote (") followed immediately by a single quote (') in the above.