Audit Class Syntax

Events can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.

Table 31–2 Plus and Minus Prefixes to Audit Classes

[prefix]class	Explanation
lo	Audit all successful attempts to log in and log out, and all failed attempts to log in. A user cannot fail an attempt to log out.
+lo	Audit all successful attempts to log in and log out.
-all	Audit all failed events.
+all	Audit all successful events.

---

Caution –

The all class can generate large amounts of data and quickly fill audit file systems. Use the all class only if you have extraordinary reasons to audit all activities.

---

Audit classes that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit class.

Table 31–3 Caret Prefix That Modifies Already-Specified Audit Classes

^[prefix]class	Explanation
-all,^-fc	Audit all failed events, except do not audit failed attempts to create file objects
am,^+aa	Audit all administrative events for success and for failure, except do not audit successful attempts to administer auditing
am,^ua	Audit all administrative events for success and for failure, except do not audit user administration events

The audit classes and their prefixes can be used in the following files and commands:

• In the flags line in the audit_control file

• In the plugin:name=audit_syslog.so; p_flags= line in the audit_control file

• In the user's entry in the audit_user database

• As arguments to auditconfig command options

See audit_control File for an example of using the prefixes in the audit_control file.