Auditing generates audit records when specified events occur. Most commonly, events that generate audit records include the following:
System startup and system shutdown
Login and logout
Process creation or process destruction, or thread creation or thread destruction
Opening, closing, creating, destroying, or renaming of objects
Use of rights
Identification actions and authentication actions
Permission changes by a process or user
Administrative actions, such as installing a package
Site-specific applications
Audit records are generated from three sources:
By an application
As a result of an asynchronous audit event
As a result of a process system call
After the relevant event information has been captured, the information is formatted into an audit record. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information. This record is then placed in an audit queue and sent to the active plugins for storage. At least one plugin must be active or the remote audit server must be configured, although all plugins can be active. Plugins are described in How Is Auditing Configured? and Audit Plugin Modules.