Audit Records

Each audit record describes the occurrence of a single audited event and includes such information as who did the action, which files were affected, what action was attempted, and where and when it occurred.

The type of information saved for each audit event is defined as a set of audit tokens. Each time an audit record is created for an event, the record contains some or all of the tokens defined for it, depending on the nature of the event and the audit policy. The audit record descriptions in Appendix B, Audit Record Descriptions list all the audit tokens defined for each event and what each token means.

Audit tokens construct audit records in an audit file. An audit trail is one or more audit files in a distributed system. The construction of the audit trail is shown in Figure 1-1. The audit trail may be converted to a human readable format by praudit (see the praudit(1M) man page). Specific audit records can be selectively chosen using the auditreduce(1M) command. See Chapter 3, Audit Trail Management and Analysis, for details.

Figure 1-1 From the Audit Token to the Audit Trail