The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to link together successive audit files into one audit trail. The fields are:
A token ID
A time and date stamp that identifies the time the file was created or closed
A byte count of the file name including a null terminator (does not show)
The file null-terminated name
The following figure shows the token format.
A file token is displayed by praudit as follows:
file,Fri Jan 23 13:32:42 1997, + 792 msec, /etc/security/audit/patchwork/files/19920901202558.19920901203241.patchwork