Reading an Audit Token
The following examples of a header token show the form that praudit produces by default. Examples are also provided of raw (-r) and short (-s) options.
Every audit record begins with a header token. The header token gives information common to all audit records. When displayed by praudit in default format, a header token looks like the following example from ioctl(): header,240,1,ioctl(2),,Thurs Sept 7 16:11:44 2000, + 270 msec
The fields are:
-
A token ID, here in text form, header
-
The record length in bytes, including the header and trailer tokens, here 240
-
An audit record structure version number, here, version 1
-
An event ID identifying the type of audit event, here in text form, ioctl(2)
-
An event ID modifier with descriptive information about the event type, here the descriptive field is empty
-
The time and date the record was created, here Thurs Sept 7 16:11:44 2000, + 270 msec
Using praudit -s, the event description (ioctl(2) in the default praudit example above) is replaced with the event name (AUE_IOCTL), like this:
header,240,1,AUE_IOCT L,,Thurs Sept 7 16:11:44 2000, + 270 msec
Using praudit -r, all fields are displayed as numbers (that may be decimal, octal, or hex), where 20 is the header token ID and 158 is the event number for this event.
20,240,1,158,,699754304, + 270 msec
Note that praudit displays the time to millisecond resolution.
- © 2010, Oracle Corporation and/or its affiliates