On my way to a gate... 15 minutes to wait. Just long enough to finish my coffee and say a bit about using the audit mechanism - more will come!!
The key files to using the AIX audit sub-system are in /etc/security/audit. On AIX 5.3 you need to be in the group audit to manage/see these files (but who uses AIX 5.3 these days - for anything really new). So, if you are researching like myself (on AIX 6.1) I am going to assume you are working as root (vi su hopefully - you see nicer things when you start audit). (This is all part of my research for RBAC: No Looking Back!
The key files are events, objects and config. Events is a file to study - it provides the lowest level of detail naming most of the events (and how they are printed by auditpr) and gives an approximation of how audit events could be/are organized into audit classes. The file objects is where you can add files, actually pathnames, that become audit events, and can be added as an event so that information gets printed.
The file config is where you will send most of your time initially. Most likely you will want to modify the default classes. I added quite a few - too many actually - as there is a hard limit of 32 classes - and one "ALL" - is pre-coded. So, if you add more than 31 classes - as I did - you will get an error message when you try to start the audit system.
Almost out of time: imho the default commands/scripts for bin/stream mode are "silly". At best they give you a slight idea of how you could write commands. Worse: you PASS a formal requirement to have audit activated but no real useful data. Too much auditing data is almost as bad as no auditing data.
If you have questions about audit - post a question on ROOTvg forums. I look at those with some regularity. :)