event_class(5sec)
The file that contains the declaration of an event class.
Description
Audit events can be logically grouped into event classes. Event classes are defined in event class files. An event class file contains an event class number and a list of event numbers corresponding to audit events.
All event class files must be created in the dcelocal/etc/audit/ec directory.
The name of the event class file becomes the name of the event class. The recommended naming convention for event class files is:
dce_server-name_class
where class is a descriptive text that characterizes the event class.
Event class files must be write-protected by the local operating system (that is, only administrators should have write access to these files). Audit clients read these files to maintain an event table in their address space.
Optionally, an event class file can contain a SEP line. This line contains a list of prefixes of the event numbers in the file. The SEP line speeds up the scanning performed by the Audit clients. Audit clients that do not have events with one of the prefixes listed will not scan the event list. If the SEP line is not provided in the file, audit clients must read the entire file to find out if the event class file contains any of their events.
Empty lines are ignored in the event class file.
Comments are designated by the number sign (#) placed before the comment text.
The Event Class File Format
The format of an event class file is:
ECN=event_class_number
SEP=prefix_1 prefix_2 ...
# comments start with the
number sign
event_number_1
# another comment
event_number_2
.
.
.
Example
Following is an example of an event class file for the event class ec_local_authentication:
ECN = 0x00000001
SEP = 0x100
# AS_Request
0x00000100
# TGS_TicketReq
0x00000101
# TGS_RenewReq
0x00000102
# TGS_ValidateReq
0x00000103
Related Information
Files: aud_audit_events(5sec)