Container Audit Format

Container audit files are treated as an extension of the container itself. Consequently, container audit files are replicated to the same servers on which the container itself is replicated. These replicas are maintained in an inaccessible directory in volume SYS: of the servers where the container is replicated.

The inaccessible directory is a protected directory that network clients cannot directly read by issuing file and directory NCP messages. The names of the audit files are derived by the server from the name of the Audit File object when each file is created; however, these filenames are not meaningful outside the server's auditing software.

Each container audit file consists of a header (such as creation time) and a sequence of audit event records. Audit records are usually, but not necessarily, sequenced in order of increasing time.

Because of the way DS.NLM synchronizes NDS^TM audit data, events might be recorded in an arbitrary order. The ordering of events in one replica of an audit file might not be the same as the ordering of events in a different replica. However, while replicated audit files are not necessarily identical, an audited event will nearly always show up as an audit record for each replica.

Container audit files are not necessarily a fixed size. The server writes an audit record, then checks to see whether the audit file has exceeded the desired size. If so, the server executes a background thread to perform the file rollover; however, during this time, the server might add even more events before the file is rolled over. Because of the synchronization of audited events to replicas on different servers, individual replicas of audit files are not necessarily the same size.

Records are stored in the audit file in a "null-compressed" format (0xE0 = 1 null byte, 0xE1 = 2 null bytes, ..., 0xEE = 15 null bytes, 0xEF = next byte actual). After encoding all natural nulls in the audit record, the server then uses a null character (0x00) as a record separator.

The following sections describe the internal format of audit files within the server ("internal format") and the AUDITCON display format for each audit trail.

Container Audit File Header

Each container audit file contains an audit file header that defines the audit status and configuration data for the audit file. Table 23 defines the format of the container audit file header. The data types "uint8", "uint16", and "uint32" refer to 8-, 16-, and 32-bit integers, respectively.

Table 23. Container Audit File Header

Type	Identifier	Description
uint16	fileVersionDate	Current version of the audit file
uint8	auditFlags	Bitmap, including concurrent auditor access, dual-level passwords, broadcast warnings, and others.
uint8	errMsgDelayMinutes	Number of minutes to delay between error messages.
uint32	containerID	NDS directory ID for container.
uint32	overflowFileSize	Size of overflow file.
uint32	creationTS[2]	Timestamp for creation of the container.
uint32	bitMap	Unused; see newBitMap.
uint32	auditFileMaxSize	Nominal audit file maximum size.
uint32	auditFileSizeThreshold	Nominal audit file size threshold.
uint32	auditRecordCount	Number of user audit records in file.
uint16	replicaNumber	NDS replica number.
uint8	enabledFlag	Indicates whether auditing is enabled for the container.
uint8	fileArchiveDays	Days between audit archive.
uint8	fileArchiveHour	Hour of day to archive.
uint8	numOldAuditFilesToKeep	Number of old audit files to keep (1-15).
uint16	numberReplicaEntries	Number of replicas in the ring for this container.
uint32	aFileCreationDateTime	Time & date this audit file was created.
uint8	randomData[8]	Unused.
uint32	partitionID	Directory partition number.
uint32	hdrChecksum	Checksum of header.
uint32	spareLongs[4]	Unused.
uint32	auditDisabledCounter	Number of times the container audit trail has been disabled.
uint32	auditEnabledCounter	Number of times the container audit trail has been enabled.
uint8	encryptPassword[16]	Encrypted level 1 password hash value (not used in evaluated configuration).
uint8	encryptPassword2[16]	Encrypted level 2 password hash value (not used in evaluated configuration)
uint32	hdrModifiedCounter	Number of times the header has been modified.
uint32	fileResetCounter	Number of times the container audit trail has been reset (archived).
uint8	newBitMap[64]	Bitmap of audit events being recorded.
uint8	spareBytes[64]	Unused.
uint8	auditObjectDN[514]	Distinguished (complete) name of Audit File object associated with the volume.
uint8	spareBytes2[122]	Unused.
uint32	wrappedDataKeyLength	Unused.
uint32	wrappedDataKey[1152]	Unused.

For more information, refer to the corresponding status information in Displaying Container Audit Status and container configuration information in Audit Options Configuration

Container Audit Record Format

This section defines the binary format of each audit record in the container audit trail. Each container audit record has a fixed header and, potentially, additional event-specific data.

The container audit record header (audit_container_rcd_hdr) is a fixed structure that contains data for each audit event in the container audit file. Table 24 shows the contents of the container audit record header.

Table 24. Container Audit Record Header

Type	Identifier	Description
uint16	replicaNumber	NDS replica that generated the record.
uint16	eventTypeID	Container audit event type from Table 25 or Table 26 .
uint32	recordNumber	Sequence number as generated by originating server within the current audit file.
uint32	dosDateTime	DOS-format date and time of audit event.
uint32	userID	NDS User object ID.
uint32	processUniqueID	Client process ID. This value can be used to trace client events (for example, file opens) to a specific process on that client. For the A_EVENT_RENAME_ENTRY and A_EVENT_MOVE_ENTRY records, the processUniqueID header field is used to identify the new object ID of the renamed or moved object. Thus, for these two events, the processUniqueID field cannot be used to trace the event to a specific process on the client.
uint32	successFailureStatusCode	Completion status: 0=successful, negative=failure.

Table 25 defines each container event type (event number and record name), describes the event, and lists the format of any additional event-specific data in the audit record. The following defines the data types used in the third column of the table:

LONG: A four-byte integer value.

INT: A two-byte integer value.

BYTE: A one-byte integer value.

unicode: A null-terminated Unicode* (text) string.

The complete name of each event in Table 25 starts with "ADS_"; that prefix is omitted to save room.

Table 25. Container Audit Records

Event Number	Record Name Description and Comments	Additional Event-Specific Data (Type; Declaration; Description)
101	ADD_ENTRY Audits the creation of a new object entry in NDS and any associated attributes (properties)of that object. If multiple attributes are created by this action, NDS writes an audit record for each attribute.	BYTE; EntryName []; RDN of new object entry BYTE; AttrName []; Name of attribute that is defined by creation of object (optional)
102	REMOVE_ENTRY Audit removal of an NDS object entry.	BYTE; EntryName []; RDN of removed object entry
103	RENAME_OBJECT Audit renaming of an NDS object.	(Note: DS sets the processUniqueID in the audit record header to object ID of the renamed object.) BYTE; EntryName []; new RDN for object BYTE; oldEntryName []; old RDN of object
104	MOVE_ENTRY Audit move of a leaf object to a new location in the tree.	(Note: NDS sets the processUniqueID in the audit record header to object ID of the moved object.) BYTE; ObjectName1[]; Original RDN for object BYTE; ObjectName2 []; New RDN for object
105	CHANGE_SECURITY_EQUIV Audit one or more changes to an object's Security Equals attribute.	BYTE; EntryName []; RDN of specified object entry BYTE; ObjectName []; RDN of object to which object EntryName is security equivalent (Note: The audit record will contain an additional ObjectName for each additional equivalence).
106	CHG_SECURITY_ALSO_EQUAL Audit one or more changes to an object's Security Also Equals attribute.	BYTE; EntryName; RDN of specified object entry BYTE; ObjectName; RDN of object to which EntryName can assume equivalent rights (Note: The audit record will contain an additional ObjectName for each additional equivalence).
107	CHANGE_ACL Audit one or more changes to an object's Access Control List. Each ACL item specifies an attribute of the current object, another object who has rights to that attribute, and the rights granted to the other object.	unicode; EntryName; RDN of specified object entry LONG; Privileges; Rights associated with access change unicode; ObjectName; RDN of object that is assigned rights to an attribute of the current object unicode; AttrName; Name of attribute (Note: The audit record will contain additional repetitions of Privileges, ObjectName, and AttrName for each additional ACL element.)
108	CHG_STATION_RESTRICTION Audit a change to Network Address Restriction property.	unicode; EntryName; RDN of user or printer object entry LONG; Nbytes; Number data bytes (10) BYTE; address[10]; IPX address restriction
109	LOGIN Audit a user's login to NDS.	LONG; UserID; User entry ID on server BYTE; NetworkAddrType; IPX=1 BYTE; NetworkAddrLen; Length; IPX uses 10 BYTE; NetworkAddress[ ]; IPX network address BYTE; UserName[ ]; RDN of logged-in user.
110	LOGOUT Audit a user logout from NDS.	BYTE; EntryName; RDN of logged out user
111	CHANGE_PASSWORD Audit a password change for the object. Note that the user password itself is not recorded.	BYTE; EntryName; RDN of User object who changed password
112	USER_LOCKED Audit setting of the Locked by Intruder attribute of an NDS User object.	BYTE; EntryName; RDN of locked user
113	USER_UNLOCKED Audit clearing the Locked by Intruder attribute of an NDS User object.	BYTE; EntryName; RDN of unlocked user
114	USER_DISABLE Audit clearing of the Login Disabled attribute of an NDS User object.	BYTE; EntryName; RDN of user that was disabled
115	USER_ENABLE Audit setting of the Login Disabled attribute of an NDS User object.	BYTE; EntryName; RDN of user being enabled
116	CHANGE_INTRUDER_DETECT Audit a change to Login Intruder Limit setting for a container object (the container being audited).	LONG; Nbytes; Size of attribute Data[ ] array BYTE; Data[Nbytes]; New data for attribute LONG LenPred BYTE; AttrName; Name of intruder detection attribute WORD LenPred (Note: The audit record will contain additional iterations of Nbytes, Data and AttrName for each additional intruder detection attribute.)
119	ADD_REPLICA Audits addition of a replica of an existing Directory partition to a server.	BYTE; partName; common name of partition of the partition root BYTE; serverName; FDN of server object LONG; replicaType; whether it's a Master, Read-Write, or Read-Only replica
120	REMOVE_REPLICA Audits removal of a replica from the replica set of an Directory partition	BYTE; partName; RDN of the partition root BYTE; serverName; RDN of server object
121	SPLIT_PARTITION Records splitting an Directory partition into two partitions at a specified object.	BYTE; OldRootName; RDN of original partition root entry BYTE; NewRootName; RDN of new partition root entry
122	JOIN_PARTITIONS Audit joining of a subordinate partition to its parent. (This event occurs twice in succession; first for the subordinate partition and then for the joined partition.)	BYTE; EntryName; RDN of joined partition root.
123	CHANGE_REPLICA_TYPE Audit change to replica type of a given replica on a given server	LONG; oldType; previous replica type (Read Only, Secondary, Master) LONG; newType; new replica type BYTE; entryname; RDN of partition root BYTE; server name; RDN of server that holds the partition
124	REPAIR_TIME_STAMPS Audit setting object and object property timestamps for a replica to the local server time.	BYTE; EntryName; RDN of partition root of the replica that was synchronized
126	ABORT_PARTITION_OP Audit termination of a repartitioning operation.	BYTE; EntryName; RDN of partition root
127	SEND_REPLICA_UPDATES Audit transmission of an update to another Directory partition.	BYTE; EntryName; RDN of replica root that sent updates
128	RECEIVE_REPLICA_UPDATES Audit receipt of an update from another Directory partition.	BYTE; EntryName; RDN of replica root that received updates
129	ADD_MEMBER Records creating an object using Bindery emulation.	BYTE; ObjectName; RDN of object entry BYTE; MemberName []; ID of member having rights to property BYTE; PropertyName; Name of bindery property
130	BACKUP_ENTRY Records backing up an NDS object, including its attributes.	BYTE; EntryName; RDN of NDS object
131	CHANGE_BIND_OBJ_SECURITY Records a change to a Bindery object's access rights through Bindery emulation.	BYTE; ObjectName; Name of Bindery object LONG; ObjectSecurity; Bindery access level Read (0-4), Write (0-4)
132	CHANGE_PROP_SECURITY Records a change to a Bindery property's access rights through Bindery emulation.	BYTE; PropertyName; Bindery property name LONG; PropertySecurity; Bindery access level Read (0-4), Write (0-4) WORD LenPred; TargetObjectName[]; Name of the bindery object for which the change occurred
133	CHANGE_TREE_NAME Records renaming an NDS tree. The audit record is logged in the audit file of the Root container for the Directory tree.	BYTE; NewTreeName; Name of the Directory tree
134	CHECK_CONSOLE_OPERATOR Records a client's request to check it's console rights. The audit record is associated with the user identified in the audit record header.	BYTE; ServerName; RDN of server object BYTE; UserName; Name of user being checked for console rights LONG; isOperator; Flag identifying console rights: zero (not console operator), non-zero (is a console operator)
135	COMPARE_ATTR_VALUE Records a comparison of a client-supplied value to the value of a property in NDS.	BYTE; EntryName; Name of object entry for which attribute is being compared BYTE; AttrName; Name of specified attribute
136	CREATE_PROPERTY Records creating a property of a Bindery object through bindery emulation.	BYTE; ObjectName; Name of Bindery object BYTE; PropertyName; Name of Bindery property LONG; PropertySecurity; Bindery access level Read (0-4), Write (0-4)
137	CREATE_SUBORDINATE_REF Records adding a subordinate reference to the parent partition.	BYTE; EntryName; RDN of parent partition root entry
138	DEFINE_ATTR_DEF Records defining a new attribute in the NDS schema.	BYTE; AttrName; Name of new attribute
139	DEFINE_CLASS_DEF Records defining a new object class in the NDS schema.	BYTE; ClassName; Name of new object class
140	DELETE_MEMBER Records deleting an object through bindery emulation.	BYTE; ObjectName; RDN of object entry BYTE; MemberName []; Name of object deleted BYTE; PropertyName; Name of bindery property
141	DELETE_PROPERTY Records deleting a property of a Bindery object through bindery emulation.	BYTE; ObjectName; Name of Bindery object BYTE; PropertyName; Name of bindery property
142	DS_NCP_RELOAD Records restarting NDS.	(None)
143	RESET_DS_COUNTERS Records resetting the NDS counters.	BYTE; ServerName; RDN of specified server object
144	FRAG_REQUEST Records a fragmented request to a server.	(None)
145	INSPECT_ENTRY Records querying an NDS object for partition status and other information.	BYTE; EntryName; RDN of queried object
146	LIST_CONTAINABLE_CLASSES Records retrieving the set of object classes that can be subordinate to an object.	BYTE; EntryName; RDN of specified object
147	LIST_PARTITIONS Records listing the Directory partitions on a server.	BYTE; PartitionRootName; RDN of partition root entry
148	LIST_SUBORDINATES Records retrieving the subordinate objects to an object.	BYTE; EntryName; RDN of specified object
149	MERGE_TREE Records merging two Directory trees.	(None)
150	MODIFY_CLASS_DEF Records modification of an NDS class definition in the schema.	BYTE; ClassName; Name of modified class definition
151	MOVE_TREE Records moving a portion of the Directory tree.	BYTE; SrcParentName; RDN of source container name of the root of the subtree. BYTE; DestParentName; RDN of destination container name of the root of the subtree.
152	OPEN_STREAM Records opening a stream property of an NDS object.	BYTE; EntryName; RDN of NDS object BYTE; AttrName; Name of NDS attribute BYTE; DesiredRights; Object property rights for stream file
153	READ Records reading one or more properties of an NDS object.	BYTE; EntryName; RDN of object entry BYTE; AttrName; Name of attribute to be read
154	READ_REFERENCES Records retrieving the list of references for an object.	BYTE; EntryName; RDN of requested object
155	REMOVE_ATTR_DEF Records removing an attribute definition from the NDS schema.	BYTE; AttrName; Name of removed attribute definition
156	REMOVE_CLASS_DEF Records removing a class definition from the NDS schema.	BYTE; ClassName; Name of removed class definition
157	REMOVE_ENTRY_DIR Records removing the queue directory from an NDS object.	BYTE; EntryName; RDN of NDS object for which queue directory was removed
158	RESTORE_ENTRY Records restoring an NDS entry and its attributes from a backup.	BYTE; EntryName; RDN of restored entry
159	START_JOIN Records the beginning of a tree join operation.	BYTE; ParentRootEntryName; RDN of root object (container) that is parent of joined tree BYTE; ChildRootEntryName; RDN of root object that is joined as a child
160	START_UPDATE_REPLICA Records starting to update a replica from another server.	BYTE; ReplicaName; RDN of root object for replica
161	START_UPDATE_SCHEMA Records starting to update the schema from another server.	BYTE; ClientServerName; RDN of server object
162	SYNC_PARTITION Records a request by a server to synchronize a partition with another server.	BYTE; PartitionDistName; RDN of root object of partition
163	SYNC_SCHEMA Records a request by a server to synchronize its schema with another server.	(None)
164	UPDATE_REPLICA Records making updates to a replica as a result of a skulk from another server.	BYTE; ReplicaName; RDN of root object of replica that is updated
165	UPDATE_SCHEMA Records making updates to the schema as a result of a skulk from another server.	BYTE; ClientServerName; RDN of server object
166	VERIFY_PASSWORD Records an attempt to verify a user's password.	BYTE; EntryName; RDN of specified User object entry
167	ABORT_JOIN Records a failed attempt to join Directory partitions.	BYTE; ParentRootEntryName; RDN of root object (container) that was to be parent of joined tree BYTE; ChildRootEntryName; RDN of root object that was to be joined as a child
168	RESEND_ENTRY Records an attempt to resend an NDS update.	BYTE; EntryName; RDN of object to be replicated
169	MUTATE_ENTRY Records a change to an NDS object's class.unicode; EntryName; RDN of object to be changed	BYTE; NewClassName; Name of object's new class BYTE; FieldName []
170	MERGE_ENTRIES Records a merger of two NDS containers.	BYTE; WinnerEntry; RDN that continues to exist in merged container BYTE; LoserEntry; RDN that loses its identity after being merged.
171	END_UPDATE_REPLICA Records completion of replica update	BYTE; EntryName; RDN of root object of replica
172	END_UPDATE_SCHEMA Records completion of schema update.	BYTE; EntryName; RDN of server object.
173	CREATE_BACKLINK Records creation of a back pointer to an NDS object on another server.	BYTE; EntryName; RDN of NDS object entry.
174	MODIFY_ENTRY Records modification of an NDS object entry and (potentially) an attribute of that object. If multiple attributes are modified by this action, NDS writes an audit record for each attribute.	BYTE; EntryName; RDN of object BYTE; AttrName; Name of attribute that is modified (optional)
176	NEW_SCHEMA_EPOCH Records changes to the schema epoch.	(None)
177	CLOSE_BinderyRecords that bindery was closed	(None)
178	OPEN_BINDERYRecords that bindery was opened	(None)

The container audit history events are defined in Table 26 . Audit events marked with a (*) in that table will not occur in the NetWare^® Enhanced Security configuration, because passwords are not used for access control. The complete name of each event in Table 26 starts with "AUDITING_"; that prefix is omitted to save room.

Table 26. Container Audit History Records

Event Number	Record Name Description and Comments	Additional Event-Specific Data (Type; Declaration; Description)
58	ACTIVE_CONNECTION_RCD Records establishment of an active connection. This is the means used to associate a user's identity with subsequent operations on a connection. After an audit file is reset, active connections are written to new audit file.	LONG; UserID; User entry ID on server BYTE; NetworkAddrType; IPX=1 BYTE; NetworkAddrLen; Length (IPX uses 10) BYTE; NetworkAddress; IPX network address BYTE; Name[ ]; Length-preceded username
59 (*)	ADD_AUDITOR_ACCESS Records an auditor gaining access to audit trail by providing the password.	LONG; UserID; User entry ID on server BYTE; NetworkAddrType IPX=1 BYTE; NetworkAddrLen; Length (IPX uses 10) BYTE; NetworkAddr; IPX network address BYTE; Name[ ]; Length-preceded username
61 (*)	CHANGE_AUDIT_PASSWORD Records a change to level 1 password.	(None)
66	REMOVE_AUDITOR_ACCESS Records an auditor relinquishing access to the audit trail.	(None)
67	RESET_AUDIT_FILE Records an auditor resetting (rolling over) to a new audit file. Appears as both the last record of the old audit file and the first record of the new audit file.	(None)
71	WRITE_AUDIT_CONFIG_HDR Records write of configuration data to audit file header.	(None)
74 (*)	CHANGE_AUDIT_PASSWORD2 Generated when level 2 password is changed.	(None)
77 (*)	INTRUDER_DETECT Generated when a user fails log in to an audit file because the incorrect password was provided.	LONG; UserID; User entry ID on server BYTE; NetworkAddrType; IPX=1 BYTE; NetworkAddrLen; Length (IPX uses 10) BYTE; NetworkAddr; IPX network address BYTE; Name[ ]; Length-preceded username
81	DELETE_OLD_AUDIT_FILE Records deletion of an old audit file.	(None)
82	QUERY_AUDIT_STATUS Records gaining access to the audit file.	(None)
91	DISABLE_CNT_AUDIT Generated when auditing is disabled for a container.	(None)
92	ENABLE_CNT_AUDITING Generated when auditing is enabled for a container.	(None)
93	NULL_RECORD Dummy record to replace CLOSE_CNT_AUDITING in skulked copies of the audit trail.	(None)
94	CLOSE_CNT_AUDITING Records that audit recording was stopped as a result of DS halting or audit disabling. The last five event-specific data items are repeated for each server in the replica ring. One or more CLOSE_CNT_AUDITING records are generated when a container audit trail is closed. The event specific data includes the FirstReplicaEntryIndex, the LastReplicaEntryIndex, and from 1 to 32 instances of a structure containing RecordNumber, FileOffset, ReplicaNumber, SkulkNeeded, and SkulkSkipCount. The first CLOSE_CNT_AUDITING record has information about the first 32 replicas (thus FirstReplicaEntryIndex is 0 and LastReplicaEntryIndex is 31; the second CLOSE_CNT_AUDITING record will have information about the next 32 replicas (thus FirstReplicaEntryIndex will be 32 and LastReplicaEntryIndex will be 62), etc.	LONG; FirstReplicaEntryIndex; Index in replica table of first replica of container LONG; LastReplicaEntryIndex; Index in replica table of last replica of container LONG; RecordNumber; Number of last record in audit file LONG; FileOffset; Offset of end of audit file INT ReplicaNumber; Number (as opposed to index) of first replica of container. BYTE; SkulkNeeded; Skulk control flag BYTE; SkulkSkipCount; indicates whether audit skulking for the replica succeeded or failed
95	CHANGE_USER_AUDITED Records setting or clearing the per-user audit flag used for volume auditing.	LONG; Audit Flag; New setting of the per-user audit flag WORD Len Pred; Name[]; Length-preceded user name that was changed
98	CONTAINER_NAME_RCD2 Generated at beginning of container audit file. Includes the class name (for example, Organizational Unit") and container name.	BYTE; SchemaClassName; Class name of container object as defined in schema BYTE; ContainerDN; DN of container being audited

Events 58 (AUDITING_ACTIVE_CONNECTION_RCD) and 98 (AUDITING_CONTAINER_NAME_RCD2) are pseudo-events (that is, they do not represent actual events).

Pseudo-events are used so that each audit data file can be self-contained. If a user logs in, event 109 (ADS_LOGIN) is generated (as shown in Table 25 ). If a subsequent audit reset occurs, the pseudo-event 58 would be generated for each logged in user, so the new audit data file would have a record of all logged in users (thus making subsequent references in the audit file to connection numbers meaningful).

Event 98 is always the first audit event in each container audit file, recording the container which caused generation of the audit file.

Textual Audit Format (AUDITCON)

There is a one-to-one correspondence between the binary audit record format and the textual representation of the event. Refer to View Audit File and View Audit History for examples of the AUDITCON report format.