header Token
Every audit record begins with a header token. The header token gives information common to all audit records. The fields are:
-
A token ID
-
The record length in bytes, including the header and trailer tokens
-
An audit record structure version number
-
An event ID identifying the type of audit event
-
An event ID modifier with descriptive information about the event type
-
The time and date the record was created
When displayed by praudit in default format, a header token looks like the following example from ioctl:
header,240,1,ioctl(2),es,Tue Sept 1 16:11:44 1992, + 270000 msec |
Using praudit -s, the event description (ioctl(2) in the default praudit example above) is replaced with the event name (AUE_IOCTL), like this:
header,240,1,AUE_IOCTL,es,Tue Sept 1 16:11:44 1992, + 270000 msec |
Using praudit -r, all fields are displayed as numbers (that can be decimal, octal, or hex), where 158 is the event number for this event.
20,240,1,158,0003,699754304, + 270000 msec |
Notice that praudit displays the time to millisecond resolution.
- © 2010, Oracle Corporation and/or its affiliates