Tools −> Audit Explorer −> Documentation −> Manual −> Monitoring
Monitoring
Apple protects its audit trails, and while this is a good thing, it does require you to take a few extra steps to analyze them. If you are part of an organization, they may already have procedures and mechanisms to get access to the audit trail files, so check with them. However, you can always use the Terminal application to make a copy of an audit trail file for you to analyze. We recommend you keep these copies in their own folder.
By default, the audit trails are kept in the directory
/var/audit/
You will need to (1) determine which file you want to analyze (list the contents of the directory), (2) make a local copy of it, and (3) change its ownership to you. In the example below, the long list of numbers are actually the file name; the represent the time the audit file started and stopped. Also in the example, the user name is "bob"; you will want to use your real user name.
$ cd MyLogs
$ sudo ls -l /var/audit
$ sudo cp /var/audit/20110326003044.20110326020923 .
$ sudo chown bob 20110326003044.20110326020923
That is it. Now you are ready to open that file in Audit Explorer.
Video tutorial available at: Monitor Your Logs

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013