This topic discusses the audit file configuration header and how it controls the auditing on the associated volume or container.
The audit file configuration header controls the auditing on the associated volume or container. Although configuration headers differ somewhat between volumes and containers, both contain the following key fields:
Additional fields contain information about the state of the audit file. The NWConfigHeader structure contains the volume configuration header data.
The configuration header for NetWare® 4.11 is twice the size of that for previous versions of NetWare. This allows for more events to be audited.
Use the following functions to read from or write to the configuration headers:
In the case of volumes, you can also read or write just the event bitmap in the header. For more information see Audit File Configuration Header Event Bitmap.
Read or write operations affect the entire configuration header. When modifying a header, be sure to assign values to all the header’s data items.
Auditing flags can be read separately from other data in the audit file configuration header. The flags control several important aspects of the auditing process and are stored as a set of bit flags in a single-byte value. There are five flags:
NWADGetFlags returns the auditing flags for an object.
The event bitmap in the configuration header is the key to configuring the audit file. Each bit in the event bitmap represents an event to be audited. In its initial state, none of the bits in the event bitmap is set. It’s up to the auditor to access the audit file’s configuration header and set the bits that correspond to events the auditor wants audited.
The event bitmap for containers is a 32-bit value with 32 corresponding events. The event bitmap for volumes is 512 bits (64 bytes).
Events that can be audited fall into several categories:
You must use container auditing to audit NDS events. All other events must be audited on a volume basis. For each category there are many events you can audit. Setting the bit for an event results in an event record being added to the audit file every time that event occurs.
For related information, see:
The event bitmap doesn’t single out specific users to be audited unless you are using NetWare® 4.11 and user restrictions is turned on using the Auditcon utility.
For previous versions of NetWare 4, once an event is set, every occurrence of the event is audited regardless of who performs it. For example, if you set the Delete Bindery Property Event bit, then an event record is generated every time a user deletes a property from an object. File events are an exception. You can configure file auditing to target specific files and users. For more information see Auditing File Events (NetWare 4.x and above).
If you are interested only in events involving specific items, you can filter the information you read from the audit file by searching specific fields in the event records. For example, you could search for all event records in which a particular user deleted properties from a particular object.
For NetWare 4 versions prior to 4.11, file events are the only category of events for which you can target specific files and users. To audit file events you must configure the files and the user objects in addition to setting the file event bit in the volume’s event bitmap. To target specific files you must set each file’s audit attribute. To target specific users you must add an audit property to each user’s bindery object. Both procedures are explained below.
To audit a particular user’s file operations, you must assign an audit property to the user’s object by calling NWADChangeObjectProperty. The property doesn’t take a value. If the property is present, the specified user will be audited. You must specify the volume or container on which the user is being audited.
For related information, see File Events for Auditing.
The volume event bitmap is a bit stream 512 bits long. Special functions are defined to simplify access to this bitmap.
Once you set the audit attribute for specific files or add the audit property to specific users, the next step is to set the event bitmap for file operations you want to audit. Some file events are represented by three different bits in the event bitmap: a global bit, a union bit, and an intersection bit. (See the File Events.) Set the one appropriate for the events you are auditing.
Open File audit is an example of the choices presented by the three bits:
For related information, see User Audit Property.
The volume event bitmap is a bit stream 512 bits long. Special functions are defined to simplify access to this bitmap:
This is a list of tables that define event bits.
The following table lists the bits defined in the message event bitmap.
The following table lists the bits defined in the accounting events bitmap.
The following table lists the bits defined in the File event bitmap.
The following table lists the bits defined in the QMS event bitmap.
The following table lists the bits defined in the server event bitmap.
The following table lists the bits defined in the user event bitmap.
The following table lists the bits defined in the NDS event bitmap.
NDS has added many more events to support auditing and other functions. For information about these events, see NDS Event Services.
For related information, see Event Bits Tables.