Read a record from an audit file.
cblte-audevt-version |
Structure version |
cblte-audevt-flags |
Control flags |
cblte-audrec-pid-len |
Length of process identifier (4 or 8) |
cblte-audrec-tid-len |
Length of thread identifier (4 or 8) |
cblte-audrec-pid-32 |
4-byte process identifier |
cblte-audrec-pid-64 |
8-byte process identifier |
cblte-audrec-tid-32 |
4-byte thread identifier |
cblte-audrec-tid-64 |
8-byte thread identfier |
cblte-audrec-event-id |
Component specific audit event identifier |
cblte-audrec-category |
Audit event category
Value |
Category |
0 |
Unknown |
1 |
Audit Facility |
2 |
System |
3 |
Security API request check |
4 |
Security API request define |
5 |
Security API request other |
6 |
Security API result allow |
7 |
Security API result deny |
8 |
Security API result error |
9 |
Security API result success |
|
cblte-audrec-data-count |
Number of audit data items. Indicates the number of items in
the cblte-audrec-event-len, cblte-audrec-event-type and cblte-audrec-event-data
arrays |
cblte-audrec-appname-len |
Length of application name |
cblte-audrec-cmdline-len |
Length of command line |
cblte-audrec-os-name-len |
Length of operating system name |
cblte-audrec-mc-name-len |
Length of computer/machine name |
cblte-audrec-sys-name-len |
Length of system name |
cblte-audrec-comp-name-len |
Length of component name |
cblte-audrec-encoded-time |
Encoded time of event |
cblte-audrec-hour |
Decoded hour |
cblte-audrec-minute |
Decoded minute |
cblte-audrec-second |
Decoded second |
cblte-audrec-millisecond |
Decoded millisecond |
cblte-audrec-encoded-date |
Encoded date of event |
cblte-audrec-year |
Decoded year |
cblte-audrec-month |
Decoded month |
cblte-audrec-day |
Decoded day |
cblte-audrec-appname |
Pointer to null-terminated name of application that
generated audit event |
cblte-audrec-cmdline |
Pointer to null-terminated command-line of application that
generated audit event |
cblte-audrec-os-name |
Pointer to null-terminated name of operating system that
generated audit event |
cblte-audrec-mc-name |
Pointer to null-terminated name of computer that generated
audit event |
cblte-audrec-sys-name |
Pointer to null-terminated name of system that generated
audit event |
cblte-audrec-comp-name |
Pointer to null-terminated name of component that generated
audit event |
cblte-audrec-event-len |
Pointer to array of 4-byte comp-5 items. Each array element
indicates the length of the corresponding audit data item. Will be NULL if
cblte-audrec-data-count is 0 |
cblte-audrec-event-type |
Pointer to array of 4-byte comp-5 items. Each array element
indicates the type of the corresponding audit data item in the
cblte-audrec-event-data array. Will be NULL if cblte-audrec-data-count is 0.
Value |
Type |
0 |
Binary |
1 |
Text (local encoding) |
2 |
Address |
3 |
COMP-5 |
4 |
COMP-X |
5 |
UTF8 |
6 |
Signed COMP-5 |
7 |
Signed COMP-X |
Any value other than the ones specified above will be
treated as type 0 (binary). |
cblte-audrec-event-data |
Pointer to array of pointer items. Each array element
addresses an audit data item of the type and length indicated by the
corresponding element in the cblte-audrec-event-type and cblte-audrec-event-len
arrays respectively. Will be NULL if cblte-audrec-data-count is 0. |
CBL_AUDIT_FILE_READ() is used to return the next audit record
from the file(s) associated with the current handle.
The function will return 78-AUD-RET-FILE-EOF when attempting to
read past the last record in a file for the first time. The next attempt to
read past the last record will either return the first record of the next file
in the collection if a collection has been opened and another file is
available, or 78-AUD-RET-FILE-NO-MORE-RECORDS.