The audit service has a default configuration and is immediately operational on the global zone after you install Oracle Solaris 11.2. No additional action is required to enable or configure the service to become usable. With its default configuration, the audit service records the following operations:
Login and logout operations
Use of the su command
Screen lock and screen unlock operations
Because the service's default configuration has no performance impact on the system, disabling the service on performance grounds is not required.
Provided that you have the appropriate audit-related rights, such as those in the Audit Review Rights profile, you can review the audit logs. The logs are stored in /var/audit/hostname. You view these files by using the praudit and auditreduce commands. For more information, see Displaying Audit Trail Data.
The subsequent sections in this chapter provide instructions for customizing the audit service configuration, if the default configuration is insufficient for your needs.