Each audit record describes the occurrence of a single audited event and includes such information as who did the action, which files were affected, what action was attempted, and where and when it occurred.
The type of information saved for each audit event is defined as a set of audit tokens. Each time an audit record is created for an event, the record contains some or all of the tokens defined for it, depending on the nature of the event. The audit record descriptions in Appendix A list all the audit tokens defined for each event and what each token means.
Audit records are collected in a trail (see the audit.log(4) man page) and can be converted to a human readable format by praudit (see the praudit(1M) man page). See Chapter 3, Audit Trail Analysis for details.