Audit event definitions are stored in the /etc/security/audit_event file.
Become superuser or assume an equivalent role.
(Optional) Save a backup copy of the audit_event file.
# cp /etc/security/audit_event /etc/security/audit_event.save |
Add new entries to the audit_event file.
Each entry has the following format:
number:name:description:classes |
Defines a unique audit event number, which must start after 32767.
Defines the unique audit event name.
Describes the audit event. Often includes the name of the man page for the audit event.
Selects the audit classes that include this event.
Make the new data available to the auditing daemon.
To use the new data, either reboot the system, or type the following command:
# auditconfig -conf |
This example shows an entry that defines a new audit event for a local application.
# grep localapp /etc/security/audit_event 32768:AUE_localapp:localapp(1):ta |