How to Change Audit Events

Audit event definitions are stored in the /etc/security/audit_event file. A record is generated only after the event definition has been created and a user-level action generates the event.

1. Become superuser or assume an equivalent role.

2. (Optional) Save a backup copy of the audit_event file.

   # cp /etc/security/audit_event /etc/security/audit_event.save

3. Add new entries to the audit_event file.

   Each entry has the following format:

   number:name:description:classes
   

   number	Defines a unique audit event number, which must start after 32768.
   name	Defines the unique audit event name.
   description	Describes the audit event. Often includes the name of the man page for the audit event
   classes	Selects the audit classes that include this event.

4. Make the new data available to the BSM service.

   To use the new data, either reboot the system, or type the following command:

   # auditconfig -conf

Example — Adding a New Audit Event

This example shows an entry that defines a new audit event for a local application.

# grep localapp /etc/security/audit_event
32769:aue_localapp:localapp(1):ap