Each audit record describes the occurrence of a single audited event and includes information such as who did the action, which files were affected, what action was attempted, and where and when the action occurred.
The type of information that is saved for each audit event is defined as a set of audit tokens. Each time an audit record is created for an event, the record contains some or all of the tokens that are defined for it, depending on the nature of the event. You can generate audit record descriptions with the auditlist command. For more information, see How to Display Audit Record Formats. For a description of the structure of each audit token, see Audit Token Formats.
Audit records are collected in an audit trail (see the audit.log(4) man page) and can be converted to a readable format by the praudit command (see the praudit(1M) man page). See The praudit Command for details.