The auditing subsystem generates the name of the log file. It is always a seven digit number containing a date stamp and a sequence number. The first four digits indicate the month and day the log file was created, while the last three digits are the sequence number. Thus, the audit event log file /var/audit/0415477 is a log file created on April 15, with a sequence number of 477.
The administrator may append up to seven characters to the system generated log file name. The additional characters are called the node name. The node name is set by the AUDIT_NODE parameter in the /etc/default/audit file. In the distributed system, there is no default value assigned to the AUDIT_NODE parameter.
You may also use the -p option of the auditlog(1M) command to specify a node name. This option takes a character string as an argument and appends that string (the node name) to the audit event log file name. Appending a character string to the log file name is useful if you have several machines in a network, because it lets you identify the machines on which the logs were created.
If you have more than one machine generating audit event log files, it is recommended that you add the machine name or an abbreviation of it to the log file name.
For example, assume that you have
three machines called
Then, the command
auditlog -p beowulf
would add the string
to the log file created in the
In that case, the log file name would look like this:
The option string must contain no more than seven characters; if the string is longer than seven characters, auditlog(1M) prints the following error message:
event log node must be < 8 charactersIn addition, the node name used as the argument to the -p option must not contain a slash. It it does, auditlog prints the following error message:
event log node may not contain a slash