All audit records including audit records generated by the auditwrite(3TSOL) routine are logged to the audit trail in a series of binary files at ADMIN_HIGH. The location of the audit files is set in the /etc/security/audit_control file, and by default is /var/audit. The praudit(1M) command reads the audit trail files and interprets the binary data as human-readable audit records.
Assume a role with the tail(1) command and the praudit(1M) command with the proc_audit_appl and proc_audit_tcb privileges. Open a terminal at ADMIN_HIGH, change directory to where the audit records are stored, and execute the tail and praudit commands as shown to view the current audit file.
This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.
phoenix% cd /var/audit phoenix% tail -0f *not_terminated* | praudit |
The audit daemon logs audit records to the audit partition until they reach their maximum capacity and then starts a new file. The file currently written to is the not_terminated audit file. View the /etc/security/audit_data file to determine which file is current.