Previous Topic Next topic Print topic


cobaudit_file_read

Read a record from an audit file.

Syntax:

cobrtncode_t cobaudit_file_read(cobuns32_t       flags,
                                cbl_os_pointer_t auditfile_handle,
                                AUDIT_RECORD     *auditfile_record)

On Entry:

Control flags
Bit Value Meaning
0-31   Reserved for future use (must be 0)
auditfile-handle
Audit handle returned by the CBL_AUDIT_FILE_OPEN API.
auditfile_record
Audit event structure
version Structure version (must be 0)
flags Control flags (must be 0)

On Exit:

Auditfile_record

Audit event structure

version
Structure version
flags
Control flags
process_id_len
Length of process identifier (4 or 8)
thread_id_len
Length of thread identifier (4 or 8)
p.process_id_32
4-byte process identifier
p.process_id_64
8-byte process identifier
t.thread_id_32
4-byte thread identifier
t.thread_id_64
8-byte thread identfier
event_id
Component specific audit event identifier
event_category
Audit event category
Value Category
0 Unknown
1 Audit Facility
2 System
3 Security API request check
4 Security API request define
5 Security API request other
6 Security API result allow
7 Security API result deny
8 Security API result error
9 Security API result success
data_count
Number of audit data items. Indicates the number of items in the event_len, event_type and event_data arrays
appname_len
Length of application name
cmdline_len
Length of command line
os_name_len
Length of operating system name
mc_name_len
Length of computer/machine name
sys_name_len
Length of system name
comp_name_len
Length of component name
time
Encoded time of event
hour
Decoded hour
minute
Decoded minute
second
Decoded second
millisecond
Decoded millisecond
date
Encoded date of event
year
Decoded year
month
Decoded month
day
Decoded day
appname
Pointer to null-terminated name of application that generated audit event
cmdline
Pointer to null-terminated command-line of application that generated audit event
os_name
Pointer to null-terminated name of operating system that generated audit event
mc_name
Pointer to null-terminated name of computer that generated audit event
sys_name
Pointer to null-terminated name of system that generated audit event
comp_name
Pointer to null-terminated name of component that generated audit event
event_len
Pointer to array of 4-byte comp-5 items. Each array element indicates the length of the corresponding audit data item. Will be NULL if data-count is 0
event_type
Pointer to array of 4-byte comp-5 items. Each array element indicates the type of the corresponding audit data item in the event_data array. Will be NULL if data_count is 0.

Any value other than the ones specified above will be treated as type 0 (binary).

Value Type
0 Binary
1 Text (local encoding)
2 Address
3 COMP-5
4 COMP-X
5 UTF8
6 Signed COMP-5
7 Signed COMP-X
event_data
Pointer to array of pointer items. Each array element addresses an audit data item of the type and length indicated by the corresponding element in the event_type and event_len arrays respectively. Will be NULL if data_count is 0.

Return Codes:

AUDIT_RET_SUCCESS
AUDIT_RET_FAILURE
AUDIT_RET_INVALID_HANDLE
AUDIT_RET_NOT_ENOUGH_MEMORY
AUDIT_RET_FILE_INVALID_FORMAT
AUDIT_RET_FILE_EOF
AUDIT_RET_FILE_NO_MORE_RECORDS

Comments:

cobaudit_event() is intended for use by C programs. It is used to return the next audit record from the file(s) associated with the current handle.

The function will return AUDIT_RET_FILE_EOF when attempting to read past the last record in a file for the first time. The next attempt to read past the last record will either return the first record of the next file in the collection if a collection has been opened and another file is available, or AUDIT_RET_FILE_NO_MORE_RECORDS.

Previous Topic Next topic Print topic