AUDIT_EVENT(4)AUDIT_EVENT(4)NAMEaudit_event - audit event definition and class mapping
/etc/security/audit_event is a user-configurable ASCII system file that
stores event definitions used in the audit system. As part of this def‐
inition, each event is mapped to one or more of the audit classes
defined in audit_class(4). See audit_control(4) and audit_user(4) for
information about changing the preselection of audit classes in the
audit system. Programs can use the getauevent(3BSM) routines to access
audit event information.
The fields for each event entry are separated by colons. Each event is
separated from the next by a NEWLINE.Each entry in the audit_event file
has the form:
The fields are defined as follows:
Event number ranges are assigned as follows:
Reserved as an invalid event number.
Reserved for the Solaris Kernel events.
Reserved for the Solaris TCB programs.
Available for third party TCB applica‐
System administrators must not add,
delete, or modify (except to change the
class mapping), events with an event num‐
ber less than 32768. These events are
reserved by the system.
Flags specifying classes to which the event is mapped.
Classes are comma separated, without spaces.
Obsolete events are commonly assigned to the special
class no (invalid) to indicate they are no longer gener‐
ated. Obsolete events are retained to process old audit
trail files. Other events which are not obsolete may
also be assigned to the no class.
Example 1 Using the audit_event File
The following is an example of some audit_event file entries:
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
See attributes(5) for descriptions of the following attributes:
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
│Interface Stability │ See below. │
The file format stability is Committed. The file content is Uncommit‐
SEE ALSObsmconv(1M), getauevent(3BSM), audit_class(4), audit_control(4),
Part VII, Solaris Auditing, in System Administration Guide: Security
This functionality is available only if Solaris Auditing has been
enabled. See bsmconv(1M) for more information.
Jun 26, 2008 AUDIT_EVENT(4)