The socket token contains information that describes an Internet socket. In some instances, the token includes only the remote port and remote IP address.
The praudit command displays this instance of the socket token as follows:
socket,0x0002,0x83b1,localhost
The expanded token adds information, including socket type and local port information.
The praudit -x command displays this instance of the socket token as follows. The line in the following example is wrapped for display purposes.
<socket sock_domain="0x0002" sock_type="0x0002" lport="0x83cf" laddr="example1" fport="0x2383" faddr="server1.Subdomain.Domain.COM"/>