Read a record from an audit file.
Note: Audit Manager is deprecated and provided for backward compatibility only. We recommend that you use syslog events instead.
Enterprise Server Auditing for more information.
cobrtncode_t cobaudit_file_read(cobuns32_t flags,
- Control flags
||Reserved for future use (must be 0)
- Audit handle returned by the CBL_AUDIT_FILE_OPEN API.
- Audit event structure
||Structure version (must be 0)
||Control flags (must be 0)
Audit event structure
- Structure version
- Control flags
- Length of process identifier (4 or 8)
- Length of thread identifier (4 or 8)
- 4-byte process identifier
- 8-byte process identifier
- 4-byte thread identifier
- 8-byte thread identfier
- Component specific audit event identifier
- Audit event category
||Security API request check
||Security API request define
||Security API request other
||Security API result allow
||Security API result deny
||Security API result error
||Security API result success
- Number of audit data items. Indicates the number of items in the event_len, event_type and event_data arrays
- Length of application name
- Length of command line
- Length of operating system name
- Length of computer/machine name
- Length of system name
- Length of component name
- Encoded time of event
- Decoded hour
- Decoded minute
- Decoded second
- Decoded millisecond
- Encoded date of event
- Decoded year
- Decoded month
- Decoded day
- Pointer to null-terminated name of application that generated audit event
- Pointer to null-terminated command-line of application that generated audit event
- Pointer to null-terminated name of operating system that generated audit event
- Pointer to null-terminated name of computer that generated audit event
- Pointer to null-terminated name of system that generated audit event
- Pointer to null-terminated name of component that generated audit event
- Pointer to array of 4-byte comp-5 items. Each array element indicates the length of the corresponding audit data item. Will
be NULL if data-count is 0
- Pointer to array of 4-byte comp-5 items. Each array element indicates the type of the corresponding audit data item in the
event_data array. Will be NULL if data_count is 0.
Any value other than the ones specified above will be treated as type 0 (binary).
||Text (local encoding)
- Pointer to array of pointer items. Each array element addresses an audit data item of the type and length indicated by the
corresponding element in the event_type and event_len arrays respectively. Will be NULL if data_count is 0.
cobaudit_event() is intended for use by C programs. It is used to return the next audit record from the file(s) associated with the current handle.
The function will return AUDIT_RET_FILE_EOF when attempting to read past the last record in a file for the first time. The next attempt to read past the last record will either return the first record of the next file in the collection if a collection has been opened and another file is available, or AUDIT_RET_FILE_NO_MORE_RECORDS.