Audit event reference

Every audit event emitted by the kernel is a msgpack map with UTF-8 string keys. This page covers the encoding conventions every event shares, the event type names, and the rules consumers should follow.

Full field schemas for each audit event type emitted by the kernel — access-audit, continuous-audit, privilege-use, logon-session-destroyed. Every key with its type, meaning, and constraints.

Several audit event types share common sub-record structures — the subject record identifying the calling principal, and the process record identifying the running process. This page covers the full schema for each.