System Administration Guide: Security Services

header Token

The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.

The header token has eight fields:

On 64-bit systems, the header token is displayed with a 64-bit timestamp, in place of the 32-bit timestamp.

The praudit command displays the header token as follows:

header,69,2,su,,machine1,2009-04-08 13:11:58.209 -07:00

The praudit -x command displays the fields of the header token at the beginning of the audit record. The line is wrapped for display purposes.

<record version="2" event="su" host="machine1" 
iso8601="2009-04-08 13:11:58.209 -07:00">