The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.
The header token has eight fields:
A token ID field that identifies this token as a header token
A byte count of the total length of the audit record, including both the header and the trailer tokens
A version number that identifies the version of the audit record structure
The audit event ID that identifies the audit event that the record represents
The ID modifier that identifies special characteristics of the audit event
The ID modifier field has the following flags defined:
0x4000 PAD_NOTATTR nonattributable event 0x8000 PAD_FAILURE failed audit event |
The address type, either IPv4 or IPv6
The machine's address
The time and date that the record was created
On 64-bit systems, the header token is displayed with a 64-bit timestamp, in place of the 32-bit timestamp.
The praudit command displays the header token as follows:
header,69,2,su,,machine1,2009-04-08 13:11:58.209 -07:00 |
The praudit -x command displays the fields of the header token at the beginning of the audit record. The line is wrapped for display purposes.
<record version="2" event="su" host="machine1" iso8601="2009-04-08 13:11:58.209 -07:00"> |