Audit record analysis involves post-selecting records from the audit trail. You can use one of two approaches to parsing the binary data that was collected.
You can use the praudit command. Options to the command provide different text output. For example, the praudit -x command provides XML for input into scripts and browsers. praudit output does not include fields whose sole purpose is to help to parse the binary data. Note that the order and format of praudit output is not guaranteed between Oracle Solaris releases.
For examples of praudit output, see Viewing the Contents of Binary Audit Files.
For examples of praudit output for each audit token, see the individual tokens in Audit Token Formats.
You can write a program to parse the binary data stream. The program must take into account the variants of an audit record. For example, the ioctl() system call creates an audit record for “Bad file name.” This record contains different tokens from the ioctl() audit record for “Invalid file descriptor.”
For a description of the order of binary data in each audit token, see the audit.log(4) man page.
For manifest values, see the /usr/include/bsm/audit.h file.
To view the order of tokens in an audit record, use the auditrecord command. Output from the auditrecord command includes the different tokens for different manifest values. Square brackets ([]) indicate that an audit token is optional. For more information, see the auditrecord(1M) man page.