To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The auditrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
Put the format of all audit event records in an HTML file.
The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.
% auditrecord -a -h > audit.events.html |
When you display the *html file in a browser, use the browser's Find tool to find specific records.
For more information, see the auditrecord(1M) man page.
In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.
% auditrecord -p login terminal login program /usr/sbin/login See login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject text error message or "successful login" return login: logout program various See login(1) event ID 6153 AUE_logout … newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login … rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin … SMC: role login program SMC server See role login event ID 6173 AUE_role_login … /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh … telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet … |
In this example, the format of all audit records in the fd class are displayed.
% auditrecord -c fd rmdir system call rmdir See rmdir(2) event ID 48 AUE_RMDIR class fd (0x00000020) header path [attribute] subject [use_of_privilege] return unlink system call unlink See unlink(2) event ID 6 AUE_UNLINK … unlinkat system call unlinkat See openat(2) event ID 286 AUE_UNLINKAT … |