Overview#

All events logged through Novell Audit have a standardized set of fields. This allows Novell Audit to log events to a structured database and query events across all logging applications.

The following diagram calls out the fields that make up a logged event. It also indicates the maximum size of each field.

Audit Structure #

We have this here as a reference. XDAS some documentation still references this diagram and some people still run Novell Audit Fields:

Novell Audit Fields and Descriptions#

SourceIP#

SourceIP int(11) default '0', - The IP address of the reporting host is assigned by the Platform Agent or Secure Logging Server and the field cannot be changed by a reporting application.
NOTE: In MySQL, INET_NTOA(Sourceip) will show this entry as an IP Address.

ClientTimeStamp#

ClientTimeStamp int(11) default '0', - Assigned by the Platform Agent or Secure Logging Server and the field cannot be changed by a reporting application.
NOTE: In MySQL FROM_UNIXTIME(ClientTimeStamp) will conver this to readable format.

ClientMS#

ClientMS int(11) default '0', Assigned by the Platform Agent or Secure Logging Server and the field cannot be changed by a reporting application. Appears to be the milliseconds since the Secure Logging server started and does reveal a general difference in time of each event.

ServerTimeStamp#

ServerTimeStamp int(11) default '0', Assigned by the Platform Agent or Secure Logging Server and the field cannot be changed by a reporting application.
NOTE: In MySQL FROM_UNIXTIME(ServerTimeStamp) will conver this to readable format.

SessionID#

SessionID int(11) default '0', Assigned by the Platform Agent or Secure Logging Server and the field cannot be changed by a reporting application.

Component#

Component varchar(255) default ' ' = This section lists the component of the application which logged the event. A component string is formatted like a DOS path name, with backslash (\) separating component parts, and must be provided for each event. The intent of the component string is to allow searching across various products, or event IDs.

EventID#

The EventID is comprised of two elements: the HiWord and the LoWord.
  • Application ID or HiWord - the four-digit hex value assigned to the current application. All Application IDs are assigned through Novell Developer Support and are maintained in the Novell Audit central registry. Before instrumenting a new application, developers should obtain an AppID through Novell Developer Support.
  • Application Event ID or LoWord is the AppEventID assigned by the person instrumenting the application. Typically, these values are assigned in ascending order.

EventID int(11) default '0'.

ApplicationID#

The application ID is assigned through a central registry at Novell.

Application Event ID#

The application event ID is a number assigned by the application to uniquely identify an event, usually in ascending order. The reserved range is a set of application ID numbers that are never assigned through the central registry, and are available for application developers to use for development and testing purposes. The event ID is detailed in the following figure:
0001 0000

NOTE: In MySQL "WHERE EventID between 0x000B0000 and 0x000BFFFF" will filter events for eDirectory

Severity#

Severity int(11) default '0', =
  • 1 - EMERGENCY - Events that cause the reporting application to shutdown (Severity = 1)
  • 2 - ALERT - Events that require immediate attention (Severity=2)
  • 3 - CRITICAL - Events that can cause parts of the reporting system to malfunction (Severity=3)
  • 4 - ERROR - Events describing errors which can be handled by the reporting system (Severity=4)
  • 5 - WARNING - Negative events not representing a problem (Severity=5)
  • 6 - NOTICE - Events (positive or negative) an administrator can use to understand or improve the use and operation of reporting system (Severity=6)
  • 7 - INFO - Positive events of any importance (Severity=7)
  • 8 - DEBUG - Events of relevance for support or engineers to debug operation of the reporting system (Severity=8)

Grouping#

Grouping int(11) default '0', - The Group ID is used to mark multiple log events belonging to a single transaction. When logging events, you are responsible for choosing an appropriate group ID for events. The group ID is used mainly for searching, and all events logged by an application can use the same group ID if appropriate.

Originator#

Originator varchar(255) default ' ', - originator captures who or what caused the event to happen.

OriginatorType#

OriginatorType int(11) default '0', - Integers that specify which predefined format the target Defined values for this type are currently as follows:
	0: None
	1: Slash Notation
	2: Dot Notation
	3: LDAP Notation

Target#

Target varchar(255) default ' ', - captures who or what the target of the operation was.

TargetType#

TargetType int(11) default '0', - Integers that specify which predefined format the target Defined values for this type are currently as follows:
  • 0: None
  • 1: Slash Notation
  • 2: Dot Notation
  • 3: LDAP Notation

SubTarget#

SubTarget varchar(255) default ' ', - captures the subcomponent of the target that was affected by the event.

Text1#

Text1 varchar(255) default ' ', - Contains the base value or new value of a subtarget that has been acted upon if the value is of type string.

Text2#

Text2 varchar(255) default ' ', - Contains the prior value of a subtarget that has been acted upon if the value is of type string, and if applicable for the type of event being logged.

Text3#

Text3 varchar(255) default ' ', - Defined by your application.

Value1#

Value1 int(11) default '0', - Contains the base value or new value of a subtarget that has been acted upon if the value is of type integer.

Value2#

Value2 int(11) default '0', - Contains the prior value of a subtarget that has been acted upon if the value is of type integer, and if applicable for the type of event being logged.

Value3#

Value3 int(11) default '0', - Defined by your application.

MIMEType#

MIMEType int(11) default '0', - provide a MIME hint about the type of the data. Predefined MIME hints are in the Nsure Audit header file, logevents.h.

DataSize#

DataSize int(11) default '0', - If necessary, the size of the data field can be expanded by your application, see “Configuring the Platform Agent” on page 18 for more information.

Data#

Data mediumblob, - provides, by default, up to three kilobytes of binary data to be logged with an event and is optional. Generally, data that should be accessed by an administrator should be stored in the string and numerical values of the payload, and the binary section should store information designated to be read by your application, because this data can often be difficult to understand.

Signiture#

Signiture varchar(255) default ' ', -

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-19) was last changed on 17-Apr-2014 11:20 by jim