Each audit record records the occurrence of a single audited event. The record includes information such as who did the action, which files were affected, what action was attempted, and where and when the action occurred. The following example shows a login audit record with three tokens, header, subject, and return:
header,69,2,login - local,,example_system,2010-10-10 10:10:10.020 -07:00 subject,jdoe,jdoe,staff,jdoe,staff,1210,4076076536,69 2 example_system return,success,0
The type of information that is saved for each audit event is defined by a set of audit tokens. Each time an audit record is created for an event, the record contains some or all of the tokens that are defined for the event. The nature of the event determines which tokens are recorded. In the preceding example, each line begins with the name of the audit token. The content of the audit token follows the token name. Together, the header, subject, and return audit tokens comprise the login - local audit record. To display the tokens that comprise an audit record, use the auditrecord -e event command.
For a detailed description of the structure of each audit token with an example of praudit output, see Audit Token Formats. For a description of the binary stream of audit tokens, see the audit.log (4) man page.