Read a record from an audit file.
Note: Audit Manager is deprecated and provided for backward compatibility only. We recommend that you use syslog events instead. See
Enterprise Server Auditing for more information.
Syntax:
cobrtncode_t cobaudit_file_read(cobuns32_t flags,
cbl_os_pointer_t auditfile_handle,
AUDIT_RECORD *auditfile_record)
On Entry:
- Control flags
-
Bit
|
Value
|
Meaning
|
0-31
|
|
Reserved for future use (must be 0)
|
- auditfile-handle
- Audit handle returned by the CBL_AUDIT_FILE_OPEN API.
- auditfile_record
- Audit event structure
-
version
|
Structure version (must be 0)
|
flags
|
Control flags (must be 0)
|
On Exit:
Auditfile_record
Audit event structure
- version
- Structure version
- flags
- Control flags
- process_id_len
- Length of process identifier (4 or 8)
- thread_id_len
- Length of thread identifier (4 or 8)
- p.process_id_32
- 4-byte process identifier
- p.process_id_64
- 8-byte process identifier
- t.thread_id_32
- 4-byte thread identifier
- t.thread_id_64
- 8-byte thread identfier
- event_id
- Component specific audit event identifier
- event_category
- Audit event category
-
Value
|
Category
|
0
|
Unknown
|
1
|
Audit Facility
|
2
|
System
|
3
|
Security API request check
|
4
|
Security API request define
|
5
|
Security API request other
|
6
|
Security API result allow
|
7
|
Security API result deny
|
8
|
Security API result error
|
9
|
Security API result success
|
- data_count
- Number of audit data items. Indicates the number of items in the event_len, event_type and event_data arrays
- appname_len
- Length of application name
- cmdline_len
- Length of command line
- os_name_len
- Length of operating system name
- mc_name_len
- Length of computer/machine name
- sys_name_len
- Length of system name
- comp_name_len
- Length of component name
- time
- Encoded time of event
- hour
- Decoded hour
- minute
- Decoded minute
- second
- Decoded second
- millisecond
- Decoded millisecond
- date
- Encoded date of event
- year
- Decoded year
- month
- Decoded month
- day
- Decoded day
- appname
- Pointer to null-terminated name of application that generated audit event
- cmdline
- Pointer to null-terminated command-line of application that generated audit event
- os_name
- Pointer to null-terminated name of operating system that generated audit event
- mc_name
- Pointer to null-terminated name of computer that generated audit event
- sys_name
- Pointer to null-terminated name of system that generated audit event
- comp_name
- Pointer to null-terminated name of component that generated audit event
- event_len
- Pointer to array of 4-byte comp-5 items. Each array element indicates the length of the corresponding audit data item. Will be NULL if data-count is 0
- event_type
- Pointer to array of 4-byte comp-5 items. Each array element indicates the type of the corresponding audit data item in the event_data array. Will be NULL if data_count is 0.
Any value other than the ones specified above will be treated as type 0 (binary).
-
Value
|
Type
|
0
|
Binary
|
1
|
Text (local encoding)
|
2
|
Address
|
3
|
COMP-5
|
4
|
COMP-X
|
5
|
UTF8
|
6
|
Signed COMP-5
|
7
|
Signed COMP-X
|
- event_data
- Pointer to array of pointer items. Each array element addresses an audit data item of the type and length indicated by the corresponding element in the event_type and event_len arrays respectively. Will be NULL if data_count is 0.
Return Codes:
AUDIT_RET_SUCCESS
|
AUDIT_RET_FAILURE
|
AUDIT_RET_INVALID_HANDLE
|
AUDIT_RET_NOT_ENOUGH_MEMORY
|
AUDIT_RET_FILE_INVALID_FORMAT
|
AUDIT_RET_FILE_EOF
|
AUDIT_RET_FILE_NO_MORE_RECORDS
|
Comments:
cobaudit_event() is intended for use by C programs. It is used to return the next audit record from the file(s) associated with the current handle.
The function will return AUDIT_RET_FILE_EOF when attempting to read past the last record in a file for the first time. The next attempt to read past the last record will either return the first record of the next file in the collection if a collection has been opened and another file is available, or AUDIT_RET_FILE_NO_MORE_RECORDS.