Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022



audit - control the behavior of the audit service


audit -n | -s | -t | -v


The audit command is the system administrator's interface to start, terminate, and refresh the audit service, auditd(8). Refreshing the audit service rereads the service and plugin configuration.



Notify the audit service audit_binfile(7) plugin to close the current audit file and open a new audit file in the current audit directory.

audit_remote(7) is notified to close the current open connection which inherently means that the audit remote server will close the related audit file. audit_remote(7) attempts to establish a new connection with the same host, thus open a new audit file.


Start (enable) the audit service if it is not running, or refresh the audit service, if it is currently running.


Terminate (disable) the audit service. The audit service will close out the active plugins, stop auditing and exit. Use –s to restart auditing.


Verify that at least one plugin is active or audit remote server is enabled. Verify attributes of plugins and audit remote server ars(7) configuration.


The audit command will exit with 0 upon success and a positive integer upon failure.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

ars(7), attributes(7), audit_binfile(7), auditconfig(8), auditd(8)

Managing Auditing in Oracle Solaris 11.4


The audit command does not modify a process's preselection mask. Its functions are limited to performing control actions of the auditing subsystem. See auditconfig(8) for configuration.

The –s option validates the audit plugin configuration. If it is not valid an error message is displayed and the audit service is not started or refreshed. The –v option may be used to validate the audit plugin configuration before using the –s option to start or refresh the audit service.

The –s option also checks state of the audit service. In case the audit service is found in the maintenance state (thus not able to be enabled or refreshed) the audit command returns with an appropriate message and exit code.

The audit command is available to administrators who have the Audit Control Rights Profile.

All options are valid in the global zone. In a non-global zone, if perzone policy is disabled and the audit remote server is not enabled, only the –v option is valid. See auditconfig(8) for per-zone audit configuration.


The –v option was added in Solaris 10 3/05.

The audit command was added in Solaris 2.3.