Read a record from an audit file.
Syntax:
cobrtncode_t cobaudit_file_read(cobuns32_t flags,
cbl_os_pointer_t auditfile_handle,
AUDIT_RECORD *auditfile_record)
On Entry:
- Control flags
-
| Bit |
Value |
Meaning |
| 0-31 |
|
Reserved for future use (must be 0) |
- auditfile-handle
- Audit handle returned by the CBL_AUDIT_FILE_OPEN API.
- auditfile_record
- Audit event structure
-
| version |
Structure version (must be 0) |
| flags |
Control flags (must be 0) |
On Exit:
Auditfile_record
Audit event structure
- version
- Structure version
- flags
- Control flags
- process_id_len
- Length of process identifier (4 or 8)
- thread_id_len
- Length of thread identifier (4 or 8)
- p.process_id_32
- 4-byte process identifier
- p.process_id_64
- 8-byte process identifier
- t.thread_id_32
- 4-byte thread identifier
- t.thread_id_64
- 8-byte thread identfier
- event_id
- Component specific audit event identifier
- event_category
- Audit event category
-
| Value |
Category |
| 0 |
Unknown |
| 1 |
Audit Facility |
| 2 |
System |
| 3 |
Security API request check |
| 4 |
Security API request define |
| 5 |
Security API request other |
| 6 |
Security API result allow |
| 7 |
Security API result deny |
| 8 |
Security API result error |
| 9 |
Security API result success |
- data_count
- Number of audit data items. Indicates the number of items in the event_len, event_type and event_data arrays
- appname_len
- Length of application name
- cmdline_len
- Length of command line
- os_name_len
- Length of operating system name
- mc_name_len
- Length of computer/machine name
- sys_name_len
- Length of system name
- comp_name_len
- Length of component name
- time
- Encoded time of event
- hour
- Decoded hour
- minute
- Decoded minute
- second
- Decoded second
- millisecond
- Decoded millisecond
- date
- Encoded date of event
- year
- Decoded year
- month
- Decoded month
- day
- Decoded day
- appname
- Pointer to null-terminated name of application that generated audit event
- cmdline
- Pointer to null-terminated command-line of application that generated audit event
- os_name
- Pointer to null-terminated name of operating system that generated audit event
- mc_name
- Pointer to null-terminated name of computer that generated audit event
- sys_name
- Pointer to null-terminated name of system that generated audit event
- comp_name
- Pointer to null-terminated name of component that generated audit event
- event_len
- Pointer to array of 4-byte comp-5 items. Each array element indicates the length of the corresponding audit data item. Will be NULL if data-count is 0
- event_type
- Pointer to array of 4-byte comp-5 items. Each array element indicates the type of the corresponding audit data item in the event_data array. Will be NULL if data_count is 0.
Any value other than the ones specified above will be treated as type 0 (binary).
-
| Value |
Type |
| 0 |
Binary |
| 1 |
Text (local encoding) |
| 2 |
Address |
| 3 |
COMP-5 |
| 4 |
COMP-X |
| 5 |
UTF8 |
| 6 |
Signed COMP-5 |
| 7 |
Signed COMP-X |
- event_data
- Pointer to array of pointer items. Each array element addresses an audit data item of the type and length indicated by the corresponding element in the event_type and event_len arrays respectively. Will be NULL if data_count is 0.
Return Codes:
| AUDIT_RET_SUCCESS |
| AUDIT_RET_FAILURE |
| AUDIT_RET_INVALID_HANDLE |
| AUDIT_RET_NOT_ENOUGH_MEMORY |
| AUDIT_RET_FILE_INVALID_FORMAT |
| AUDIT_RET_FILE_EOF |
| AUDIT_RET_FILE_NO_MORE_RECORDS |
Comments:
cobaudit_event() is intended for use by C programs. It is used to return the next audit record from the file(s) associated with the current handle.
The function will return AUDIT_RET_FILE_EOF when attempting to read past the last record in a file for the first time. The next attempt to read past the last record will either return the first record of the next file in the collection if a collection has been opened and another file is available, or AUDIT_RET_FILE_NO_MORE_RECORDS.