audit and auditd

The audit(1M) command is an interface to control the current audit daemon. The audit daemon.auditd(1M), controls the generation and location of audit trail files, using information from the audit_control file. The auditd command starts the audit daemon (if auditing has been enabled). The audit command can halt the daemon, which stops the recording but not the collection of audit records; the audit command provides other options as well for controlling the daemon.

The audit command lets you

Reset the first directory in the list of audit storage directories in the audit_control file.
Open a new audit file in the audit directory specified in the audit_control file, as last read by the audit daemon.
Signal the audit daemon to close the audit trail and halt the recording but not the collection of audit records.

Previous: Planning and Setting Up Auditing
Next: auditconfig