This example shows an entry that causes audit records to be generated anytime the user sue accesses any programs in the login class (lo).
# grep sue /etc/security/audit_user sue:lo: