The file token is a special token that is generated by the audit daemon to mark the beginning of a new audit trail file and the end of an old audit trail file as it is deactivated. The audit daemon builds a special audit record that contains this token to “link” together successive audit files into one audit trail. The file token has four fields:
a token ID that identifies this token as a file token
a time and date stamp that identifies the time that the file was created or closed
a byte count of the file name that includes a null terminator
a field that holds the file null-terminated name
The praudit command displays the file token as follows:
file,Tue Sep 1 13:32:42 1992, + 79249 msec, /var/audit/localhost/files/19990901202558.19990901203241.quisp |
The following figure shows the format of a file token.