Order of Audit Tokens

Each audit record begins with a header token and ends (optionally) with a trailer token. One or more tokens between the header and trailer describe the event. For user-level and kernel events, the tokens describe the process that performed the event, the objects on which it was performed, and the objects' tokens, such as the owner or mode.

Each user-level and kernel event typically has at least the following tokens:

header
subject
return

Many events also include a trailer token, but it is optional.

Previous: Tools for Merging, Selecting, Viewing, and Interpreting Audit Records
Next: Human-Readable Audit Record Format