System Administration Guide: Security Services

Audit Record Structure

An audit record is a sequence of audit tokens. Each audit token contains event information such as user ID, time, and date. A header token begins an audit record, and an optional trailer token concludes the record. Other audit tokens contain information relevant to the audit event. The following figure shows a typical audit record.

Figure 31–3 Typical Audit Record Structure

Diagram shows a typical audit record structure, which
includes a header token followed by an arg, a data, a subject, and a return

Audit Record Analysis

Audit record analysis involves postselecting records from the audit trail. You can use one of two approaches to parsing the binary data that was collected.