In the Oracle Solaris 11.4 release, administrators have more flexibility regarding how and where they want their audit data recorded. Administrators can now specify which system-wide audit classes are written to each configured audit plugin. Although this feature was already available for some plugins. All plugins now have this option.
Administrators can filter out unwanted events from the configured system-wide defaults on a per-plugin basis by using the –p_flags option to the auditconfig -setplugin command.
For example, the following command sends lo events only to syslog:
$ auditconfig -setplugin audit_syslog p_flags=lo
In addition, the Audit Remote Server (ARS) now supports specifying a set of audit flags on a per-connection group basis. By using the –p_flags option to the auditconfig -setremote command, administrators can specify which audit classes, on a per-connection group basis, are audited.
For example, the following command specifies only the audit events from the lo and ex audit classes:
$ auditconfig -setremote group foo p_flags=lo,ex
For more information, see the auditconfig(8) man page.