The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.
Infrequently, a header token can include one or more event modifiers:
na indicates a non-attributable event
header,52,2,system booted,na,mach1,2011-10-10 10:10:20.564 -07:00
sp indicates the successful use of privilege
header,120,2,exit(2),sp,mach1,2011-10-10 10:10:10.853 -07:00
The praudit command displays the header token as follows:
header,756,2,execve(2),,machine1,2010-10-10 12:11:10.209 -07:00
The praudit -x command displays the fields of the header token at the beginning of the audit record. The line in the following example is wrapped for display purposes.
<record version="2" event="execve(2)" host="machine1" iso8601="2010-10-10 12:11:10.209 -07:00">