Human-Readable Audit Record Format

This section shows each audit record format as it appears in the output produced by the praudit command. This section also gives a short description of each audit token. For a complete description of each field in each token, see Appendix A, Audit Record Descriptions.

The following token examples show the form that praudit produces by default. Examples are also provided of raw (-r) and short (-s) options. When praudit displays an audit token, it begins with the token type, followed by the data from the token. Each data field from the token is separated from other fields by a comma. However, if a field (such as a path name) contains a comma, this cannot be distinguished from a field-separating comma. Use a different field separator or the output will contain commas. The token type is displayed by default as a name, like header, or in -r format as a decimal number.

The individual tokens are described in the following order:

• "header Token"

• "trailer Token"

• "arbitrary Token"

• "arg Token"

• "attr Token"

• "exit Token"

• "file Token"

• "groups Token"

• "in_addr Token"

• "ip Token"

• "ipc Token"

• "ipc_perm Token"

• "iport Token"

• "opaque Token"

• "path Token"

• "process Token"

• "return Token"

• "seq Token"

• "socket Token"

• "subject Token"

• "text Token"