To Change Event-Class Mappings

1. Change event-class mappings in the audit_control(4) file.

   1. As role secadmin, at label admin_low, open the System_Admin folder from the Application Manager.

   2. Double-click the Audit Events action.

2. Edit the file to change the class mapping for each event to be changed, write the file, and exit the editor.

   If you are changing events above number 2048, this is all you need to do.

   ---

   Note –

   On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.

   ---

3. If you modify a kernel event mapping (numbers 1 to 2047), restart auditing by doing one of the following:

   • Reboot the system, or

   • As role secadmin, at label admin_low, change the runtime event-to-class mappings:

     $ auditconfig -conf