During system configuration, you preselect which classes of audit records to monitor. You can also fine-tune the degree of auditing that is done for individual users. The following figure shows details of the flow of auditing in Oracle Solaris.
Figure 1 Flow of Auditing
The audit_binfile plugin places binary audit records in /var/audit. By default, the audit_binfile plugin is active. Post-selection tools enable you to examine interesting parts of the audit trail.
The audit_remote plugin sends binary audit records across a protected link to an audit remote server.
The audit_syslog plugin sends text summaries of audit records to the syslog utility.
Systems that install non-global zones can audit all zones identically from the global zone. These systems can also be configured to collect different records in the non-global zones. For more information, see Auditing on a System With Oracle Solaris Zones.