Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

header Token

The header token is special in that it marks the beginning of an audit record. The header token combines with the trailer token to bracket all the other tokens in the record.

    Infrequently, a header token can include one or more event modifiers:

  • fe indicates a failed audit event

  • fp indicates the failed use of privilege

  • na indicates a non-attributable event

    header,52,2,system booted,na,mach1,2011-10-10 10:10:20.564 -07:00
  • rd indicates that data is read from the object

  • sp indicates the successful use of privilege

    header,120,2,exit(2),sp,mach1,2011-10-10 10:10:10.853 -07:00
  • wr indicates that data is written to the object

The praudit command displays the header token as follows:

header,756,2,execve(2),,machine1,2010-10-10 12:11:10.209 -07:00

The praudit -x command displays the fields of the header token at the beginning of the audit record. The line in the following example is wrapped for display purposes.

<record version="2" event="execve(2)" host="machine1"
iso8601="2010-10-10 12:11:10.209 -07:00">