The bsmrecord command displays the audit id, audit class, selection mask, and record format of an audit event. The command operates on records in the audit_class and audit_event files.
The -a option in the following command lists all audit event record formats. The -h option puts the list in HTML format. The resulting file can be displayed in a browser.
Use the bsmrecord command to put the format of all audit event records in an HTML file.
% bsmrecord -a -h > audit.events.html |
You can display the *html file in a browser. Use the browser's Find tool to find specific records.
See the bsmrecord(1M) man page for more information.
In this example, the format of all audit records that are generated by the login program are displayed.
% bsmrecord -p login terminal login program /usr/sbin/login see login(1) event ID 6152 AUE_login class lo (0x00001000) header subject text error message or "successful login" return login: logout program /usr/sbin/login see login(1) event ID 6153 AUE_logout class lo (0x00001000) header subject text "logout" username return rlogin program /usr/sbin/login see login(1) - rlogin event ID 6155 AUE_rlogin class lo (0x00001000) header subject text success/fail message return telnet login program /usr/sbin/login see login(1) - telnet event ID 6154 AUE_telnet class lo (0x00001000) header subject text success/fail message return |
In this example, the format of all audit records in the fd class are displayed.
% bsmrecord -c fd ftruncate Not used. truncate Not used. unlink system call unlink see unlink(2) event ID 6 AUE_UNLINK class fd (0x00000020) header path [attribute] subject return |