I know the answer is to use ausearch from a command line. According to the ausearch man entry, the Event ID comes after the ":" in the msg=audit line entry. As an example, msg=audit(1116360555.329:2401771) would mean that "2401771" is the Event ID. But in looking though the audit.logs, it seems as if that number is simply a sequential marker. Also, I've searched the Internet to try and find something more about Linux audit.log files but everything seems to be geared towards Windows Event IDs.
For instance, we would like to be able to see if a user has tried to access a file they are not authorized to open. What Event ID would that be and how would we use ausearch to look for such events?
Is there a listing somewhere which gives the definitions of each individual Event ID and how to interpret them so that we can sort on specific events rather than having to cull though each 8M audit.log file?