The following examples of a header token show the form that praudit produces by default. Examples are also provided of raw (-r) and short (-s) options.
Every audit record begins with a header token. The header token gives information common to all audit records. When displayed by praudit in default format, a header token looks like the following example from ioctl():
header,240,1,ioctl(2),,Tue Sept 7 16:11:44 1999, + 270000 msec
The fields are:
A token ID, here in text form, header
The record length in bytes, including the header and trailer tokens, here 240
An audit record structure version number, here, version 1
An event ID identifying the type of audit event, here in text form, ioctl(2)
An event ID modifier with descriptive information about the event type, here the descriptive field is empty
The time and date the record was created, here Tue Sept 7 16:11:44 1999, + 270000 msec
Using praudit -s, the event description (ioctl(2) in the default praudit example above) is replaced with the event name (AUE_IOCTL), like this:
header,240,1,AUE_IOCTL,,Tue Sept 7 16:11:44 1999, + 270000 msec
Using praudit -r, all fields are displayed as numbers (that may be decimal, octal, or hex), where 20 is the header token ID and 158 is the event number for this event.
20,240,1,158,,699754304, + 270000 msec
Note that praudit displays the time to millisecond resolution.