#include <sys/types.h> #include <audit.h>int auditbuf(int cmd, struct abuf *bufp, int size);
The default high_water_mark is equal to the size of an audit buffer (ADT_BSIZE). The valid range of values for vhigh is greater than or equal to zero and less than or equal to ADT_BSIZE. If vhigh is equal to zero, the audit buffer mechanism is bypassed and all records are written directly to the audit log file. The size of the audit buffer (ADT_BSIZE) is a tunable parameter found in /etc/conf/mtune.d/audit and cannot be modified by the auditbuf system call.
Two values for cmd are supported: ABUFGET and ABUFSET. When the specified cmd is ABUFGET, the value of the high_water_mark is returned in vhigh, and the size of the audit buffer is returned in bsize.
When the specified cmd is ABUFSET, the value of the high_water_mark is changed to vhigh, and the bsize of the audit buffer is ignored.
The bufp argument points to a structure of type abuf that contains the following elements:
struct abuf { int vhigh; /* audit buffer high_water_mark */ int bsize; /* audit buffer size */ }
The size argument is used to verify the size of the abuf structure being passed to determine the version of auditing.
Auditing must be installed on the system before this system call can be used. Use of the auditbuf system call requires the appropriate privilege(P_AUDIT).