Volume Audit Format

Each volume audit file is a file in an inaccessible directory in the volume. That is, the audit files for volume SYS: are maintained in an inaccessible directory on volume SYS: , and the audit files for volume ALPHA: are kept in an inaccessible directory on volume ALPHA:.

The inaccessible directories are protected, hidden directories that network clients cannot directly read by issuing file and directory NCP^TM messages. The names of the audit files are derived by the server from the name of the Audit File object when each file is created; however, these filenames are not meaningful outside the server's auditing software.

Each volume audit file consists of a header (that includes data such as creation time) and a sequence of audit event records. That is, the server appends discrete volume audit records to the associated current audit file.

Audit files are not necessarily a fixed size. The server writes an audit record, then checks to see whether the audit file has exceeded the desired size. If so, the server executes a background thread to perform the file rollover; however, during this time, the server might add even more events before the file is rolled over.

Records within a volume audit file are sequenced in order of increasing time, using the server's local time. Note that time discontinuities in the audit trail can occur if the server's time is modified.

Records are stored in the audit file in a "null-compressed" format (0xE0 = 1 null byte, 0xE1 = 2 null bytes, ..., 0xEE = 15 null bytes, 0xEF = next byte actual). After encoding all natural nulls in the audit record, the server then uses a null character (0x00) as a record separator.

Each audit file is self-contained; that is, you don't have to read previous audit files to establish the context for the current file. For example, if a user is logged in when the audit file rolls over, the server writes a pseudo-login event for that user. If a file is open when the audit file rolls over, the new audit file contains a pseudo-open event.

The following sections describe the format of volume audit files internally, within the server, and as displayed by AUDITCON.

Volume Audit File Header

Each volume audit file contains an audit file header that defines the audit status and configuration data for the audit file. Table 19 defines the format of the volume audit file header. The data types "BYTE", "WORD", and "LONG" refer to 8-, 16-, and 32-bit integers, respectively. The "BYTE" data type is also used for character strings.

Table 19. Volume Audit File Header

Type	Identifier	Description
WORD	fileVersionDate	Current version of the audit file.
BYTE	auditFlags	Bit map, including concurrent auditor access, dual-level passwords, broadcast warnings to all users.
BYTE	errMsgDelayMinutes	Number of minutes to delay between error messages.
BYTE	encryptPassword[16]	Encrypted level 1 password hash value (not used in evaluated configuration)
LONG	volumeAuditFileMaxSize	Nominal audit file maximum size.
LONG	volumeAuditFileSizeThreshold	Nominal audit file size threshold.
LONG	auditRecordCount	Number of user audit records in file.
LONG	historyRecordCount	Number of auditor event records in file.
BYTE	encryptPassword2[16]	Encrypted level 2 password hash value (not used in evaluated configuration).
LONG	spare[2]	Unused.
LONG	overflowFileSize	Size of overflow file.
bit map	volumeAuditEventBitMap	Unused; see newBitMap definition.
LONG	aFileCreationDateTime	Audit file creation time.
BYTE	randomData[8]	Unused.
WORD	auditFlags2	Unused.
WORD	fileVersionDate2	Unused.
BYTE	fileArchiveDays	Days between audit archive.
BYTE	fileArchiveHour	Hour of day to archive.
BYTE	numOldAuditFilesToKeep	Number of old audit files to keep (1-15).
BYTE	spareByte	Unused.
LONG	hdrChecksum	Checksum of header.
LONG	spareLongs[2]	Unused.
BYTE	newBitMap[64]	Bitmap of audit events selected for this volume.
BYTE	spareBytes[64]	Unused.
BYTE	auditObjectDN[514]	Distinguished (complete) name of Audit File object associated with the volume.
BYTE	spareBytes2[122]	Unused.
LONG	wrappedDataKeyLength	Unused.
LONG	wrappedDataKey[1152]	Unused.

For more information, refer to the corresponding status information in Displaying Volume Audit Status and volume configuration information in the Audit Options Configuration.

Volume Audit Record Format

This section defines the binary format of each audit record in the volume audit trail. Each audit record has a fixed record header and, potentially, additional event-specific data.

The volume audit record header (audit_rec_hdr) is a fixed structure that contains data for each audit event in the audit file. Table 20 shows the fields in each volume audit record header.

Table 20. Volume Audit Record Header

Type	Element Name	Description
WORD	eventTypeID	Volume audit event type, from Table 21 or Table 22
WORD	chkWord	Checksum, used for internal integrity checks.
LONG	connectionID	Server's internal connection table entry. This value is used to associate an event with the user that performed that event.
LONG	processUniqueID	Client process ID. This value can be used to trace client events (for example, file opens) to a specific process on that client.
LONG	successFailureStatusCode	Completion status: 0=successful, nonzero=failure.
WORD	dosDate	DOS-format date of event.
WORD	dosTime	DOS-format time of event.

Table 21 defines each volume audit file record name and number, describes the type of event (accounting, extended attribute, file, message, QMS, server, user), when it is generated, and the format of any additional event-specific data in the audit record. The data types "BYTE", "WORD", and "LONG" refer to 8-, 16-, and 32-bit integers, respectively. The "BYTE" data type is also used for character strings. The complete name of each event in Table 21 starts with "A_EVENT_"; that prefix is omitted to save room.

NOTE: Events 29 through 41, 228 through 235, and 261 are queue management events. Queue management events are always recorded in the audit trail of volume SYS:, and therefore will not appear in the audit trails of any other volumes.

Table 21. Volume Audit Records

Event Number	Record Name Description and Comments	Additional Event-Specific Data (Type; Declaration; Description)
7	CHANGE_DATE_TIME Server event, audits time/date change.	LONG; DosDateTime; Old DOS format Date/Time
10	CLOSE_FILE File event, audits user file close.	LONG; Handle; File handle LONG; Modified; Set if file was modified
12	CREATE_FILE File event, audits user file creation.	LONG; Handle; DOS file handle LONG; Rights; Requested open rights LONG; NameSpace; DOS name space PATH; pathname
14	DELETE_FILE File event, audits user file deletion.	LONG; NameSpace; DOS name space PATH; pathname
17	DISABLE_ACCOUNT User event, audits disabling a user account.	BYTE; FileName[ ]; Length-preceded Bindery username
18	DOWN_SERVER Server event, audits server shutdown.	(None)
19	GRANT_TRUSTEE User event, audits assignment of trustee rights to a user.	LONG; TrusteeID; User ID of trustee LONG; Rights; Assigned trustee rights LONG; NameSpace; DOS name space BYTE; TrusteeName[ ]; Length-preceded username PATH; directory pathname
21	LOGIN_USER User event, audits user login or background authentication to a server.	LONG; UserID; User entry ID on server BYTE; NetworkAddrType; IPX=1 BYTE; NetworkAddrLen; Length (IPX uses 10) BYTE; NetworkAddress; IPX network address BYTE; Name[ ]; Length-preceded username
23	LOGOUT_USER User event, user logout from a server.
25	MODIFY_ENTRY File event, audits user modification of a directory entry.	LONG; ModifyBits; Bitmap indicating modifications made LONG; NameSpace; DOS name space LONG; NamePtr LONG; Attributes LONG; AttributesMask WORD; CreationDate WORD; CreationTime LONG; OwnerID WORD; ArchiveDate WORD; ArchiveTime LONG; ArchiverID WORD; LastUpdatedDate WORD; LastUpdatedTime LONG; UpdaterID WORD; LastAccessDate WORD; InheritanceGrantMask WORD; InheritanceRevokeMask LONG; MaxSpace LONG; LastUpdatedSecs PATH; FSOName BYTE; OldDosName[ ]; Length-preceded old filename (optional) OR BYTE; NewOwner[ ]; Length-preceded owner name (optional) OR BYTE; LastArchivedBy; Length-preceded username (optional) OR BYTE; LastModifiedBy; Length-preceded username (optional)
27	OPEN_FILE File event, audits user file open.	LONG; Handle; DOS file handle LONG; Rights; Requested open rights or attributes LONG; NameSpace; DOS name space PATH; pathname
29	Q_ATTACH_SERVER QMS event, audits assignment of an object to a queue's list of queue servers.	BYTE; Qname[ ]; Length-preceded queue name BYTE; Servername[ ]; Length-preceded server name
29	Q_CREATE QMS event, audits creation of a queue object and its associated queue directory.	LONG; QType; Queue type BYTE; FileName[ ]; Length-preceded queue name
30	Q_CREATE_JOB QMS event, audits creation of a queue job.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded description
31	Q_DESTROY QMS event, audits deletion of a queue object, queue directory, and associated job files.	LONG; QType; Queue type BYTE; QName[ ]; Length-preceded queue directory name
32	Q_DETACH_SERVER QMS event, audits removal of an object from a queue's list of queue servers.	BYTE; Qname[ ]; Length-preceded queue name BYTE; Servername[ ]; Length-preceded server name
33	Q_EDIT_JOB QMS event, edit parameters associated with queue job.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDesc[ ]; Length-Preceded job description BYTE; NewJobDesc[ ]; Length-Preceded job description
34	Q_JOB_FINISH QMS event, audits completion of queue job by a queue server.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Null-terminated job description
35	Q_JOB_SERVICE QMS event, audits selection of next available queue job by queue server.	LONG; TType; Queue target type BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded
36	Q_JOB_SERVICE_ABORT QMS event, audits abnormal termination of queue job by queue server.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded
37	Q_REMOVE_JOB QMS event, audits removal of an entry from a queue.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded
38	Q_SET_JOB_PRIORITY QMS event, audits change of queue job priority.	LONG; Priority; Queue job priority BYTE; QName[ ]; Length-preceded queue name BYTE; JobDesc[ ]; Length-Preceded
39	Q_SET_STATUS QMS event, audits a change of queue status by queue operator.	LONG; Status; Queue status bitmap BYTE; QName[ ]; Length-preceded queue name
40	Q_START_JOB QMS event, audits making an entry ready for service.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded
41	Q_SWAP_RIGHTS QMS event, records the change of rights (by a queue server) to match the rights of the user that placed the job in the queue.	BYTE; QName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-Preceded
42	READ_FILE File event, audits user read of open file.	LONG; Handle; Open file handle LONG; ByteCount; # of bytes actually read LONG; Offset; File offset
43	REMOVE_TRUSTEE User event, audits removal of trustee from file or directory.	LONG; TrusteeID; User ID of trustee LONG; Rights; Trustee rights LONG; NameSpace; DOS name space BYTE; TrusteeName[ ]; Length-preceded username PATH; directory pathname
44	RENAME_MOVE_FILE File event, audits rename or move of file.	LONG; NameSpace; DOS name space BYTE; FileName1[ ]; PATH before operation BYTE; FileName2[ ]; PATH after operation
46	SALVAGE_FILE File event, audits salvage of deleted file space.	LONG; NameSpace; DOS name space BYTE; FileName[ ]; PATH pathname
49	TERMINATE_CONNECTION User event, audits termination of user connection.	LONG; ConnectionNbr; Number of the connection that was terminated
50	UP_SERVER Server event, audits start of server. (Note: this event cannot be preselected by AUDITCON).	(None)
53	USER_SPACE_RESTRICTIONS User event, record change of a user's volume space restriction.	LONG; SpaceValue; User space restriction (blocks per volume) BYTE; TrusteeName; Length-preceded trustee name
55	VOLUME_MOUNT Server event, audits mount of disk volume.	(None)
56	VOLUME_DISMOUNT Server event, audits dismount of disk volume.	(None)
57	WRITE_FILE File event, audits user write to open file.	LONG; Handle; Open file handle LONG; ByteCount; # of bytes actually written LONG; Offset; File offset
75	CREATE_DIRECTORY File event, records user creation of directory.	LONG; Handle; DOS file handle (always zero) LONG; Rights; Requested open rights LONG; NameSpace; DOS name space BYTE; FileName[ ]; PATH pathname
76	DELETE_DIRECTORY File event, records user deletion of directory.	LONG; NameSpace; DOS name space BYTE; FileName[ ]; PATH pathname
200	GET_CURRENT_ACCOUNT_- STATUS Accounting event, records querying the current account status	BYTE; ClientName[ ]; User whose status is requested
201	SUBMIT_ACCOUNT_CHARGE Accounting event, records submitting an accounting charge.	BYTE; ClientName[ ]; User whose account is being charged
202	SUBMIT_ACCOUNT_HOLD Accounting event, records submitting an accounting hold	BYTE; ClientName[ ]; User whose account is being held
203	SUBMIT_ACCOUNT_NOTE Accounting event, records submitting an accounting note	BYTE; ClientName[ ]; User whose account is being noted
204	DISABLE_BROADCASTS Message event, records refusal of future messages.	(None)
205	GET_BROADCAST_MESSAGE Message event, records retrieving a message sent to the connection.	(None)
206	ENABLE_BROADCASTS Message event, records acceptance of future messages.	(None)
207	BROADCAST_TO_CONSOLE Message event, records sending a message to the server console.	(None)
208	SEND_BROADCAST_MESSAGE Message event, records sending a message to a connection. If message was sent to more than one recipient, a separate audit record is recorded for each recipient.	BYTE; ClientName[ ]; User to whom message was sent Length-Preceded
209	WRITE_EATTRIB Extended attribute event, records writing the extended attributes of a file.	BYTE; PathName[ ]; PATH pathname
210	READ_EATTRIB Extended attribute event, records reading the extended attribute of a file.	BYTE; PathName[ ]; PATH pathname
211	ENUM_EATTRIB Extended attribute event, records enumeration of extended attributes.	BYTE; PathName[ ]; PATH pathname
212	SEE_FSO File event, records examining an FSO for computing rights or handle.	BYTE; PathName[ ]; PATH pathname
213	GET_FSO_RIGHTS File event, records computing a user's rights to a file system object.	BYTE; PathName[ ]; PATH pathname
214	PURGE_FILE File event, records purging a file.	LONG; NameSpace; DOS name space PATH[]
215	SCAN_DELETED File event, records scanning the list of deleted files.	BYTE; PathName[ ]; PATH name scanned
216	DUPLICATE_EATTRIB Extended attribute event, records duplication of extended attribute.	BYTE; DestPathName[ ]; Length-preceded pathname of destination BYTE; SrcPathName[ ]; Length-preceded pathname of source file
217	ALLOC_SHORT_DIRECTORY_HANDLE File event, records allocation of directory handle	LONG; DirectoryHandle; Existing directory handle BYTE; PathName[ ]; Length-preceded pathname for new handle
218	SET_HANDLE File event, records computation of directory handle.	BYTE; PathName[ ]; PATH pathname for new handle
219	SEARCH File event, records searching for FSOs.	BYTE; PathName[ ]; PATH pathname being searched for
220	GEN_DIR_BASE_AND_VOL File event, records accessing an FSO	BYTE; PathName[ ]; PATH pathname
221	OBTAIN_FSO_INFO File event, records obtaining FSO information.	BYTE; PathName[ ]; PATH pathname
222	GET_REF_COUNT File event, records retrieving reference count.	BYTE; PathName[ ]; PATH pathname
223	MODIFY_ENTRY_NO_SEARCH File event, records modifying an FSO's information.	BYTE; PathName[ ]; PATH pathname
224	SCAN_TRUSTEES File event, records scanning the list of FSO trustees.	BYTE; PathName[ ]; PATH pathname
225	GET_OBJ_EFFECTIVE_RIGHTS File event, records computation of effective rights to a given file for a given NDS^® object.	BYTE; PathName[ ]; PATH pathname BYTE; ObjectName[ ]; NDS object for which rights are questioned
226	PARSE_TREE File event, records scanning the FSO tree.	BYTE; PathName[ ]; PATH pathname
227	SET_SPOOL_FILE_FLAGS Queue event, records setting the spool file flags.	LONG; PrintFlags; New flags for the spool file
228	RESTORE_Q_SERVER_RIGHTS Queue event, records restoring a queue server's previous rights & identity.	(None)
229	Q_JOB_SIZE Queue event, records retrieving a queued job's size.	BYTE; QueueName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-preceded job description
230	Q_JOB_LIST Queue event, records retrieving the list of jobs in a queue.	BYTE; QueueName[ ]; Length-preceded queue name
231	Q_JOB_FROM_FORM_LIST Queue event, records retrieving the list of jobs waiting for a form.	BYTE; QueueName[ ]; Length-preceded queue name
232	READ_Q_JOB_ENTRY Queue event, records reading information about a queued job.	BYTE; QueueName[ ]; Length-preceded queue name BYTE; JobDescription[ ]; Length-preceded job description
233	MOVE_Q_JOB Queue event, records moving a job from one queue to another.	BYTE; SrcQueueName[ ]; Length-preceded source queue name BYTE; DestQueueName[ ]; Length-preceded destination queue name BYTE; JobDescription[ ]; Length-preceded job description
234	READ_Q_STATUS Queue event, records querying the status of a queue.	BYTE; QueueName[ ]; Length-preceded queue name
235	READ_Q_SERVER_STATUS Queue event, records querying the status of a queue server.	BYTE; QueueName[ ]; Length-preceded queue name BYTE; ServerName[ ]; Length-preceded server name
236	EXTENDED_SEARCH File event, records use of extended file searching.	BYTE; PathName[ ]; PATH pathname
237	GET_DIR_ENTRY File event, records getting a directory entry.	BYTE; PathName[ ]; PATH pathname
238	SCAN_VOL_USER_RESTR File event, records getting the user disk space restrictions for a volume.	(None)
239	VERIFY_SERIAL Server event, records verification of the server serial number.	(None)
240	GET_DISK_UTILIZATION File event, records retrieving the disk usage for a particular user on a volume.	BYTE; ClientName[ ]; Length-preceded username being queried BYTE; VolumeName[ ]; Length-preceded volume name being examined
241	LOG_FILE File event, records locking a file for exclusive use.	BYTE; FileName[ ]; PATH pathname being locked
242	SET_COMP_FILE_SZ File event, records setting the file size of a compressed file	BYTE; FileName[ ]; PATH pathname
243	DISABLE_LOGIN Server event, records console command to disallow logins.	(None)
244	ENABLE_LOGIN Server event, records console command to allow logins.	(None)
245	DISABLE_TTS Server event, records console command to disable transaction tracking.	(None)
246	ENABLE_TTS Server event, records console command to enable transaction tracking.	(None)
247	SEND_CONSOLE_BROADCAST Message event, records sending a message to the console	(None)
248	REMAINING_GET_OBJ_DISK_ SPACE Server event, records getting the amount of disk space available	BYTE; ObjName[] Length-Preceded
249	GET_CONN_TASKS Server event, records getting the list of tasks associated with a connection.	(None)
250	GET_CONN_OPEN_FILES Server event, records getting the list of files open by a connection.	LONG; ConnNum.
251	GET_CONN_USING_FILE Server event, records getting the list of connections using a file.	BYTE; VolName[] Length-Preceded Filename PATH
252	GET_PHYS_REC_LOCKS_CONN Server event, records getting the list of physical record locks in use by a connection.	(None)
253	GET_PHYS_REC_LOCKS_FILE Server event, records getting the list of physical locks associated with a file.	(None)
254	GET_LOG_REC_BY_CONN Server event, records getting the list of logical record locks in use by a connection.	(None)
255	GET_LOG_REC_INFO Server event, records getting information about logical record locks.	(None)
256	GET_CONN_SEMS Server event, records getting the list of semaphores in use by a connection.	(None)
257	GET_SEM_INFO Server event, records getting information about a semaphore.	(None)
258	MAP_DIR_TO_PATH Server event, records mapping a directory number to a path name.	BYTE; PathName[ ]; PATH pathname
259	CONVERT_PATH_TO_ENTRY Server event, records converting a path name to the entry number.	BYTE; PathName[ ]; Length-preceded path name
260	DESTROY_SERVICE_CONN Server event, records termination of a connection.	(None)
261	SET_Q_SERVER_STATUS Queue event, records setting a queue server status.	BYTE; QueueName[ ]; Length-preceded queue name BYTE; ServerName[ ]; Length-preceded server name
262	CONSOLE_COMMAND Server event, records a command at the server console.	BYTE; CommandLine[ ]; Command entered at console
263	REMOTE_ADD_NS Server event, records addition of a new name space from a remote workstation.	BYTE; NameSpaceName[ Length-Preceded]; Name of name space that is remotely added
264	REMOTE_DISMOUNT Server event, records volume dismount from a remote workstation.	BYTE; VolumeName[Length-Preceded]; Name of volume that is remotely dismounted
265	REMOTE_EXE Server event, records execution of .NCF batch file from a remote workstation.	BYTE; PathName[Length-Preceded]; Pathname of .NCF file that is remotely executed on server
266	REMOTE_LOAD Server event, records loading of NLM from remote workstation.	BYTE; PathName[Length-Preceded]; Pathname of NLM that is remotely loaded
267	REMOTE_MOUNT Server event, records mounting of volume from a remote workstation.	BYTE; VolumeName[Length-Preceded]; Name of volume that is remotely mounted
268	REMOTE_SET Server event, records modification of a server SET parameter from a remote workstation.	BYTE; SetParmCommand[Length-Preceded]; Command line, including new value, for change to server SET parameter
269	REMOTE_UNLOAD Server event, records unloading of NLM from a remote workstation.	BYTE; PathName[Length-Preceded]; Pathname of NLM that is remotely unloaded.

Table 22 defines the volume audit file event names, numbers, and event specific data for the audit history events. Audit events marked with an asterisk (*) will not occur in the evaluated configuration, because passwords are not used for access control. The complete name of each event in Table 22 starts with "AUDITING_"; that prefix is omitted to save room.

Table 22. Volume Audit History Records

Event Number	Record Name Description and Comments	Additional Event-Specific Data (Type; Declaration; Description)
58	ACTIVE_CONNECTION_RCD Records establishment of an active connection. This is the means used to associate a user's identity with subsequent operations on a connection. After an audit file is reset, active connections are written to new audit file.	LONG UserID; User entry ID on server BYTE NetworkAddrType IPX=1 BYTE NetworkAddrLen; Length (IPX uses 10) BYTE NetworkAddress; IPX network address BYTE Name[ ]; Length-preceded username WORD-Length-Preceded
59 (*)	ADD_AUDITOR_ACCESS Records an auditor gaining access to audit trail by providing the password.	LONG UserID; User entry ID on server BYTE NetworkAddrType IPX=1 BYTE NetworkAddrLen; Length(IPX uses 10) BYTE NetworkAddr; IPX network address BYTE Name[ ]; Length-preceded username
60	ADD_AUDIT_PROPERTY Records setting the per-user audit flag.	BYTE Name[ ]; Length-preceded username that was marked
61 (*)	CHANGE_AUDIT_PASSWORD Records a change to level 1 password.	(None)
62	DELETE_AUDIT_PROPERTY Records clearing the per-user audit flag.	BYTE Name[ ]; Length-preceded username that was cleared
63	DISABLE_VOLUME_AUDIT Records disabling of auditing on current volume.	(None)
64	OPEN_FILE_HANDLE_RCD Records file handle and name. After an audit file is reset, this event identifies file handles currently in use.	LONG FileHandle; Allocated file handle LONG Unused; For future expansion LONG NamespaceID; Name space, DOS=1 BYTE Name[ ]; PATH that was opened
65	ENABLE_VOLUME_AUDITING Records an auditor's enabling volume auditing.	(None)
66	REMOVE_AUDITOR_ACCESS Records an auditor relinquishing access to the audit trail.	(None)
67	RESET_AUDIT_FILE Records an auditor rolling over to a new audit file. This is the last record in the old audit file.	(None)
68	RESET_AUDIT_FILE2 Records an auditor rolling over to a new audit file. This is the first record in the new audit file.	(None)
70	WRITE_AUDIT_BIT_MAP Records change to audit file bitmap (that is, change to set of preselected volume audit events).	(None)
71	WRITE_AUDIT_CONFIG_HDR Records write of configuration data to audit file header.	(None)
72	NLM_ADD_RECORD1 Records a history event generated by an NLM.	LONG RecordTypeID; As defined by NLM LONG DataLen; Length of NLM provided data BYTE UserName[ ]; Length-preceded username provided by NLM BYTE Data[ ]; NLM provided data
73	ADD_NLM_ID_RECORD2 Record the identity of an NLM that generates audit records.	LONG NLMid; Novell-defined NLM ID BYTE NetworkAddrType IPX=1 BYTE NetworkAddrLen; Length (IPX uses 10) BYTE NetworkAddr; IPX network address
74 (*)	CHANGE_AUDIT_PASSWORD2 Generated when level 2 password is changed.	(None)
77 (*)	INTRUDER_DETECT Generated when a user fails log in to an audit file because the incorrect password was provided.	LONG UserID; User entry ID on server BYTE NetworkAddrType IPX=1 BYTE NetworkAddrLen; Length (IPX uses 10) BYTE NetworkAddr; IPX network address BYTE Name[ ]; Length-preceded username
80	VOLUME_NAME_RCD_2 Generated at beginning of volume audit file.	BYTE Name[ ]; Length-preceded NDS distinguished name of volume BYTE Null[ ]; Unused string
81	DELETE_OLD_AUDIT_FILE Records deletion of an old audit file.	(None)
82	QUERY_AUDIT_STATUS Records gaining access to the audit file.	(None)

Events 58 (AUDITING_ACTIVE_CONNECTION_RCD), 64 (AUDITING_OPEN_FILE_HANDLE_RCD), and 80 (AUDITING_VOLUME_NAME_RCD2) are pseudo-events (that is, they do not represent actual events).

Pseudo-events are used so that each audit data file can be self-contained. For example, if a user logs in, event 21 (A_EVENT_LOGIN_USER) is generated (as shown in Table 21). If a subsequent audit reset occurs, the pseudo-event 58 would be generated for each logged-in user, so the new audit data file would have a record of all logged in users (thus making subsequent references in the audit file to connection numbers meaningful).

Similarly, if a user opens a file, event 27 (A_EVENT_OPEN_FILE) is generated (as shown in Table 21). If a subsequent audit reset occurs, the pseudo event 64 would be generated for each file open by each user, so the new audit data file would have a record of all open files (thus making subsequent references in the audit file to file handles meaningful).

Event 80 is always the first audit event in each audit file, recording the volume which caused generation of the audit file.

Textual Audit Format (AUDITCON)

There is a one-to-one correspondence between the binary audit record format and the textual representation of the event. Note, however, that the output of a textual audit event depends upon the context of the event, for example, the association of a file handle with a filename. Refer to View Audit File and View Old Audit File for examples of the AUDITCON report format.