The audit log contains one line per entry. The entry consists of multiple tab-delimited fields. The first nine fields have fixed meaning and order, with additional fields in a tag=value format. The tagged fields that are present depend on the action that is logged. Different actions will have different additional data available. For example, for an invoke, the tag oper would indicate the operation being invoked.

The order of the tab-delimited fields in an entry is:

date login ID ClientDescription pid IP user@host action [tag1=value [tag2=value […]]]

Example:

2010/03/25 12:52:21 +442ms admin 2 dmctl 23168 127.0.0.1 [email protected] createInstance object=MyClass::MyInstance

Note:

The text in the example appears on one line in the log, though it has been wrapped in this document.

Table 1. Description of fields in the audit log

Field

Description

Date

The date and time at which the event occurred, formatted according to the setting of SM_DATETIME_FORMAT.

Login

The login identifier used to authenticate to the domain.

ID

The client identification number for the particular session.

Client Description

Information of the client, for example, dmctl, console. This information is reported by the client as it cannot be verfied independently. A malicious user could manipulate this information.

PID

The process ID of the client on the system where the connection originated. This information is reported by the client as it cannot be verified independently. A malicious user could manipulate this information.

IP

The network address of the system from which the connection originated. This is obtained from the network stack. Due to the presence of NAT or other factors, it may not reflect the actual IP address of the client system.

User

The operating system login name of the user on the system where the connection originated. This information is reported by the client as it cannot be verified independently. A malicious user could manipulate this information.

Host

The hostname of the system where the connection originated. This hostname is reported by the client. A malicious user could manipulate this information. incase of an uncertainty, perform a reverse lookup on the IP provided. This field is provided as it may allow identification of individual clients behind a NAT, while a reverse lookup of the IP would resolve to a single router.

Action

An API operation called by the client. For example, put, create, delete, invoke.

Description of fields in the audit log lists the fields and its description.