Audit Record Structure
An audit record is a sequence of audit tokens. Each audit token contains event information such as user ID, time, and date. A header token begins an audit record, and an optional trailer token concludes the record. Other audit tokens contain information relevant to the audit event. The following figure shows a typical kernel audit record and a typical user-level audit record.
Figure 3 Typical Audit Record Structures
Audit Record Analysis
Audit record analysis involves post-selecting records from the audit trail. You can use one of two approaches to parsing the binary data that was collected.
-
You can use the praudit command. Options to the command provide different text output. For example, the praudit command provides XML for input into scripts and browsers. praudit output does not include fields whose sole purpose is to help to parse the binary data. Note that the order and format of praudit output is not guaranteed between Oracle Solaris releases.
For examples of praudit output, see Viewing the Contents of Binary Audit Files.
For examples of praudit output for each audit token, see the individual tokens in Audit Token Formats.
-
You can write a program to parse the binary data stream. The program must take into account the variants of an audit record. For example, the ioctl() system call creates an audit record for "Bad file name". This record contains different tokens from the ioctl() audit record for "Invalid file descriptor".
-
For a description of the order of binary data in each audit token, see the audit.log(5) man page.
-
For manifest values, see the /usr/include/bsm/audit.h file.
-
To view the order of tokens in an audit record, use the auditrecord command. Output from the auditrecord command includes the different tokens for different manifest values. Square brackets ([]) indicate that an audit token is optional. For more information, see the auditrecord(8) man page.
-