event class file - The file that contains the declaration of an event
Audit events can be logically grouped into event classes. Event
classes are defined in event class files. An event class file contains
an event class number and a list of event numbers corresponding to
All event class files must be created in the dcelocal/etc/audit/ec
The name of the event class file becomes the name of the event class.
The recommended naming convention for event class files is:
where class is a descriptive text that characterizes the event class.
Event class files must be write-protected by the local operating system
(that is, only administrators should have write access to these files).
Audit clients read these files to maintain an event table in their
Optionally, an event class file can contain a SEP line. This line con‐
tains a list of prefixes of the event numbers in the file. The SEP
line speeds up the scanning performed by the Audit clients. Audit
clients which do not have events with one of the prefixes listed will
not scan the event list. If the SEP line is not provided in the file,
Audit clients will have to read the entire file to find out if the
event class file contains any of their events.
Empty lines are ignored in the event class file.
Comments are designated by the number sign (#) placed before the com‐
The Event Class File Format
The format of an event class file is: ECN=event_class_number SEP=pre‐
fix_1 prefix_2 ... # comments start with the number sign event_num‐
Following is an example of an event class file for the event class
ec_local_authentication: ECN = 0x00000001 SEP = 0x100 # AS_Request
0x00000100 # TGS_TicketReq 0x00000101 # TGS_RenewReq 0x00000102 #