Use the event.monitor.commands parameter to specify a list of commands to monitor. Be sure to list each command with the full path. The auditing service generates an audit trail event when a user runs any of these monitored commands, and ignores any commands listed in the event.monitor.commands.user.skiplist.

To use this parameter, you must have enabled the agent to perform advanced monitoring with the command dacontrol -m. Otherwise, you will not get any report or audit trail event results.

In the audit.log file, you can find these events by looking for the cda_cmd_exec messages. In the cdc.log file you can find them by looking for the Emit AUDIT_TRAIL and Emit COMMAND_HISTORY messages.