AUDIT.LOG(5) — FILE FORMATS

NAME

audit.log − the security audit trail file

SYNOPSIS

#include <sys/label.h>
#include <sys/audit.h>
#include <sys/user.h>

DESCRIPTION

The audit.log file begins with a header record consisting of an audit_header structure followed by the previous audit file name. When the audit daemon is started (usually only at boot time), the previous audit file name is NULL.

struct audit_header {
intah_magic;/∗ magic number ∗/
time_tah_time; /∗ the time ∗/
shortah_namelen;/∗ length of file name ∗/
};
typedef struct audit_header audit_header_t;

The file may end with a trailer record consisting of an audit_trailer structure followed by the name of the next audit file.

struct audit_trailer {
shortat_record_size;/∗ size of this ∗/
shortat_record_type;/∗ its type, a trailer ∗/
time_tat_time; /∗ the time ∗/
shortat_namelen;/∗ length of file name ∗/
};
typedef struct audit_trailer audit_trailer_t;

The audit.log file contains audit records in their raw form. The records are of varying size depending on the record type. Each record has a header which is an audit_record structure.

struct audit_record {
shortau_record_size;/∗ size of this ∗/
shortau_record_type;/∗ its type ∗/
time_tau_time; /∗ the time ∗/
shortau_uid;/∗ real uid ∗/
shortau_auid; /∗ audit uid ∗/
shortau_euid; /∗ effective ∗/
shortau_gid;/∗ real group ∗/
shortau_pid;/∗ effective ∗/
intau_errno;/∗ error code ∗/
intau_return;/∗ a return value ∗/
blabel_t au_label;/∗ also ... ∗/
shortau_param_count;/∗ # of parameters ∗/
};
typedef struct audit_record audit_record_t;

Immediately following the header is a set of two byte integers, the number of which exist for a given record is contained in the au_param_count field. These numbers are the lengths of the additional data items. The additional data items follow the list of lengths, the first length describing the first data item. Interpretation of this data is left to the program accessing it.

Museum

Related Articles

AUDIT.LOG(5) — FILE FORMATS

NAME

SYNOPSIS

DESCRIPTION

SEE ALSO