Safeguard Audit Service Manual (G06.24+, H06.03+)
Safeguard Audit Service Manual—520480-014
A-1
A Audit File Record Formats
This appendix describes the structure of the records in the audit files. If you are writing
programs to extract information from the audit trail, read this appendix. However, if you
are using SAFEART to get information from the audit trail, you do not need to read this
appendix. Instead, see Section 7, SAFEART Field Descriptions.
About the Audit Trail
The security audit trail consists of one or more audit pools. The term audit pool refers
to a disk subvolume containing two or more disk files, called audit files, to which the
audit records are actually written. An audit pool is a named object whose name is the
same as the subvolume in which it resides.
An audit pool is composed of a series of individual audit files. The audit service writes
audit records to the last open audit file in sequence in the currently active audit pool.
The open audit file continues to receive audit records until it is full, a NEXTFILE
command is issued, or the Safeguard subsystem is stopped and restarted. In any of
these cases, the audit service performs a file switch that opens the next available audit
file for receipt of audit records.
Audit File Naming
Audit file names have this form:
Annnnnnn
The single alphabetic character A is followed by a seven-digit decimal integer,
nnnnnnn, which is incremented by one each time a name is to be generated within the
same audit pool.
The same file names can occur in different audit pools. For example, if you have
defined audit pools on the subvolumes AUDIT1 and AUDIT2, the audit service creates
files AUDIT1.A0000000 and AUDIT2.A0000000 because the first audit file in each
audit pool is named A0000000.
Audit File Structure
An audit file is an entry-sequenced, structured file containing variable-length, variable-
format records in fixed, 4096-byte blocks. The various record formats are identified by
type codes stored at the same field offset in every record in the file. Each audit file
contains a single file header record followed by a variable number of audit records.
Header Record
The header record contains information common to every record in the file:
•
Revision level of the record formats occurring in the file
•
Record formats of different product revision levels are never mixed in the same file.