Read a record from an audit file.
auditfile_record |
Audit event structure |
|
version |
Structure version |
|
flags |
Control flags |
|
process_id_len |
Length of process identifier (4 or 8) |
|
thread_id_len |
Length of thread identifier (4 or 8) |
|
p.process_id_32 |
4-byte process identifier |
|
p.process_id_64 |
8-byte process identifier |
|
t.thread_id_32 |
4-byte thread identifier |
|
t.thread_id_64 |
8-byte thread identfier |
|
event_id |
Component specific audit event identifier |
|
event_category |
Audit event category
Value |
Category |
0 |
Unknown |
1 |
Audit Facility |
2 |
System |
3 |
Security API request check |
4 |
Security API request define |
5 |
Security API request other |
6 |
Security API result allow |
7 |
Security API result deny |
8 |
Security API result error |
9 |
Security API result success |
|
|
data_count |
Number of audit data items. Indicates the number of items in
the event_len, event_type and event_data arrays |
|
appname_len |
Length of application name |
|
cmdline_len |
Length of command line |
|
os_name_len |
Length of operating system name |
|
mc_name_len |
Length of computer/machine name |
|
sys_name_len |
Length of system name |
|
comp_name_len |
Length of component name |
|
time |
Encoded time of event |
|
hour |
Decoded hour |
|
minute |
Decoded minute |
|
second |
Decoded second |
|
millisecond |
Decoded millisecond |
|
date |
Encoded date of event |
|
year |
Decoded year |
|
month |
Decoded month |
|
day |
Decoded day |
|
appname |
Pointer to null-terminated name of application that generated
audit event |
|
cmdline |
Pointer to null-terminated command-line of application that
generated audit event |
|
os_name |
Pointer to null-terminated name of operating system that
generated audit event |
|
mc_name |
Pointer to null-terminated name of computer that generated
audit event |
|
sys_name |
Pointer to null-terminated name of system that generated
audit event |
|
comp_name |
Pointer to null-terminated name of component that generated
audit event |
|
event_len |
Pointer to array of 4-byte comp-5 items. Each array element
indicates the length of the corresponding audit data item. Will be NULL if
data-count is 0 |
|
event_type |
Pointer to array of 4-byte comp-5 items. Each array element
indicates the type of the corresponding audit data item in the event_data
array. Will be NULL if data_count is 0.
Value |
Type |
0 |
Binary |
1 |
Text (local encoding) |
2 |
Address |
3 |
COMP-5 |
4 |
COMP-X |
5 |
UTF8 |
6 |
Signed COMP-5 |
7 |
Signed COMP-X |
Any value other than the ones specified above will be
treated as type 0 (binary). |
|
event_data |
Pointer to array of pointer items. Each array element
addresses an audit data item of the type and length indicated by the
corresponding element in the event_type and event_len arrays respectively. Will
be NULL if data_count is 0. |
cobaudit_event() is intended for use by C programs. It is used to
return the next audit record from the file(s) associated with the current
handle.
The function will return AUDIT_RET_FILE_EOF when attempting to
read past the last record in a file for the first time. The next attempt to
read past the last record will either return the first record of the next file
in the collection if a collection has been opened and another file is
available, or AUDIT_RET_FILE_NO_MORE_RECORDS.