To Change Event-Class Mappings

1. Change event-class mappings in the audit_control(4) file.

   1. As role secadmin, at label admin_low, open the System_Admin folder from the Application Manager.

   2. Double-click the Audit Events action.

2. Edit the file to change the class mapping for each event to be changed, write the file, and exit the editor.

   If you are changing events above number 2048, this is all you need to do.

   ---

   Note -

   On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every workstation on the network. See "To Distribute Audit Configuration Files to a Network of Workstations" for a process to distribute master copies of files to all workstations on the network.

   ---

3. If you modify a kernel event mapping (numbers 1 to 2047):

   1. Reboot the system, or

   2. As role secadmin, at label admin_low, change the runtime event-to-class mappings:

      $ auditconfig -conf