External Audit Format

As shown in Figure 126, external audit files consist of an audit file header and a sequence of audit records. Audit records can be either generated by the server (audit history records) or inserted by external entities (external audit records).

Figure 126
Structure of External Audit Record

The external audit record data (shaded) consists of an external audit record header generated by NetWare, followed by a sequence of bytes. The workstation provided data can be interpreted by the workstation in any way that is desired.

For example, a workstation product can treat this data as a workstation event header (for example, that lists the time the event occurred on the workstation and the workstation's audit record type) and additional data. See your vendor's workstation documentation for information on the workstation data in your external audit file.

WARNING:  The external audit record header contains information written by the server at the time the audit event record is written to the audit file, for example, the date and time the event was recorded. Depending upon the workstation's audit architecture, this information might or might not be meaningful.

For example, the workstation might queue audit records for a period of time before uploading the records to the server to be written to the audit file. If the information in the external audit record header is not sufficient for an auditor to audit the actions of an individual user, then the workstation NTCB partition must record additional data in the workstation data.


External Audit File Header

The external audit file header is the same as the container audit file header defined in the section Container Audit File Header.


External Audit Record Format

This section defines the binary format of each audit record in the external audit trail. Each audit record has a fixed header and, potentially, additional event-specific data.

Table 27 lists the subset of the event record types and formats described in Table 26 that are possible in an external audit trail. In addition, the table shows the events that can appear in an external audit trail that can not appear in container audit trails.


Table 27. Event Types in an External Audit Trail

Event Number Description

66

AUDITING_REMOVE_AUDITOR_ACCESS

67

AUDITING_RESET_AUDIT_FILE

71

AUDITING_WRITE_AUDIT_CONFIG_HDR

81

AUDITING_DELETE_OLD_AUDIT_FILE

82

AUDITING_QUERY_AUDIT_STATUS

91

AUDITING_DISABLE_CNT_AUDIT

92

AUDITING_ENABLE_CNT_AUDITING

98

AUDITING_CONTAINER_NAME_RCD2


Table 28. External Audit Event Types

Event Number Record Name
Description and Comments		 Additional Event-Specific Data
(Type; Declaration; Description)

97

EXTERNAL_RECORD

Audit record generated by an external source and inserted in the audit trail.

LONG; VendorID; Novell assigned ID

LONG; RecLen; Record length in bytes

BYTE; Data[RecLen]; Externally supplied audit record

The external audit record header (audit_external_rec_hdr) is a fixed structure that contains data for each audit event in the external audit file. Table 29 shows the contents of the external audit record header.


Table 29. External Audit Record Header

Type Element Name Description

uint16

replicaNumber

Unused.

uint16

eventTypeID

Container audit event type from Table 27

uint16

recordNumber

Sequence number.

uint32

dosDateTime

DOS-format date and time of audit event.

uint32

userID

NDS User object ID.

uint32

processUniqueID

Client process ID. This value can be used to trace client events (for example, file opens) to a specific process on that client.

uint32

successFailureStatusCode

Completion status: 0=successful, negative=failure.


Previous