Are there any user-defined variables availble in the eventlog? When looking in the eventlog for certain commands - e.g. useradd, how does one map that eventlog entry back to the keystroke log that would contain it?
Unfortunately, user-defined variable are not recorded in the eventlog.
Commands like useradd should create events in the eventlog when run within a pmksh, so long as the shellprofile doesn't include it in the pf_shellallow list, or the command is not a shell builtin. Try pmlog with the constraint "basename(command) == 'username'" to get all the eventlog entries that match.
To trace this back to the iolog file, you could do:
pmlog -c "basename(command) == 'useradd'" -p pmshell_uniqueid
To get the uniqueid's of any pmshells in which the useradd command was run. Then to lookup the iolog file, do:
pmlog -c "uniqueid == '<pmshell_uniqueid>'" -p iolog
Attached is a zip file that contains a script called audit_replay.sh that may be a use to you.
./audit_replay.sh -c useradd - should display all the iolog files which for any pmshell session in which the useradd command was run.