audit_encode_value - Linux


audit_encode_value is a tool for encoding values according to the Audit Data Format (ADF). ADF is a standard for representing audit event data in a structured and extensible way.


audit_encode_value [OPTION...] FIELD-NAME FIELD-VALUE


  • -f, –file=FILE: Reads key-value pairs from the given file.
  • -t, –type=TYPE: Specifies the type of the encoded value. Supported types: string, integer, float, boolean, array, map, byte array.
  • -o, –output=FILE: Writes the encoded value to the given file.
  • -h, –help: Display help and exit.
  • -v, –version: Display version information and exit.


Encode a string value:

audit_encode_value username john

Encode an integer value:

audit_encode_value age 30

Encode an array of integers:

audit_encode_value accounts [1, 2, 3]

Encode a map of strings to integers:

audit_encode_value balances { "john": 10, "alice": 20 }

Common Issues

  • Unable to encode a custom type: ADF does not support custom types. Use one of the supported types or rely on the map type to store a JSON representation of the custom type.
  • Invalid input format: Ensure the input key-value pair is in the correct format, with the key followed by the value separated by a space.


audit_encode_value can be integrated with other commands to process and analyze audit events. For example, it can be used in a script to filter and select specific audit events based on encoded values:

auditctl -l | grep audit_encode_value | audit_encode_value username john

Related Commands

  • audit2allow: Converts audit rules to SELinux policy.
  • auditctl: Controls and manages the kernel audit system.
  • ADF Specification