Every audit record begins with a header token. The header token gives information common to all audit records. The fields are:
A token ID
The record length in bytes, including the header and trailer tokens
An audit record structure version number
An event ID identifying the type of audit event
An event ID modifier with descriptive information about the event type
The time and date the record was created
When displayed by praudit in default format, a header token looks like the following example from ioctl:
header,240,1,ioctl(2),es,Tue Sept 1 16:11:44 1992, + 270000 msec |
Using praudit -s, the event description (ioctl(2) in the default praudit example above) is replaced with the event name (AUE_IOCTL), like this:
header,240,1,AUE_IOCTL,es,Tue Sept 1 16:11:44 1992, + 270000 msec |
Using praudit -r, all fields are displayed as numbers (that may be decimal, octal, or hex), where 158 is the event number for this event.
20,240,1,158,0003,699754304, + 270000 msec |
Note that praudit displays the time to millisecond resolution.