Use the message type selection for auditreduce (-m option) to find a particular audit event.
The -m option accepts either numeric message identifiers or AUE_xxxxx event names. The screen example below finds all kernel-level login events in the audit trail and displays them to standard output.
$ auditreduce -m AUE_LOGIN | praudit |
The auditreduce command rejects an incorrect format, but does not describe the correct format.