file Token

The file token is a special token generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old file as it is deactivated. The audit daemon builds a special audit record containing this token to link together successive audit files into one audit trail. The fields are:

A token ID
A time and date stamp that identifies the time the file was created or closed
A byte count of the file name including a null terminator (does not show)
The file null-terminated name

The following figure shows the token format.

Figure B–10 file Token Format

A file token is displayed by praudit as follows:

file,Fri Jan 23 13:32:42 1997, + 792 msec,
/etc/security/audit/patchwork/files/19920901202558.19920901203241.patchwork

Previous: exit Token
Next: groups Token (Obsolete)