Novell Documentation: Novell Audit 2.0

A.1 Event Structure

All events logged through Novell Audit have a standardized set of fields. This allows Novell Audit to log events to a structured database and query events across all logging applications.

The following diagram calls out the fields that make up a logged event. It also indicates the maximum size of each field.

Figure A-1 Novell Audit Event Structure

The following table explains each event field.

Table A-1 Novell Audit Event Fields

Event Field	Description
Component	The component string is formatted like a DOS pathname, with a backslash ( \ ) separating component parts. For example: \eDirectory\Database\Lookup \iChain\Connection Manager\Authentication \NetMail\POP3\Authentication The first part of the component string is the Application Identifier. The Application Identifier is the string the logging application uses to identify itself to the logging server. The Application Identifier is stored in the application’s certificate and Application object. When the Secure Logging Server authenticates an application’s connection with the Platform Agent, it associates the Application Identifier with that connection. Thereafter, it automatically adds the Application Identifier to the component string for every event coming from that connection. For more information on application certificates and authentication, see Section 9.0, Security and Non-Repudiation.
Component continued	The subsequent portions of the component string are defined by the application. Typically, they identify modules within the application, types of events, etc. The intent of the component string is to facilitate queries across various products and events. For example, using wildcard characters, you can search for all iChain® violations (\ichain\\violations), all iChain events (\ichain\), or violations from every logging application (*\violations). You can also use the component string to filter events event chains. See Section 8.2.7, Verifying Event Authenticity in Novell Audit Report. For a listing of the Novell Audit, eDirectory™ and NetWare® component strings, see Section A.2, Component Strings.
EventID	The EventID is comprised of two elements: the HiWord and the LoWord. The HiWord is the four-digit hex value assigned to the current application. All Application IDs are assigned through Novell Developer Support and are maintained in the Novell Audit central registry. Before instrumenting a new application, developers should obtain an AppID through Novell Developer Support. The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, these values are assigned in ascending order. For more information, see the Novell Audit SDK.
GroupID	An ID that can be used to identify related events. For example, the NetMail® instrumentation of Novell Audit uses this field to store the temporary filename assigned to each message as it passes through the message queue. By sorting on the Group ID, NetMail administrators can view all events that occurred as that particular message passed through the message queue.
Log Level (Severity)	The log level is an indicator of the severity of the reported event. Emergency events cause the system to shut down. Alert events require immediate attention. Critical events might cause parts of the system to malfunction. Error events are errors that can be handled by the system. Warnings are negative events that do not represent a problem. Notices are positive or negative events that an administrator can use to understand or improve the use and operation of the current system. Info represents positive events of any importance. Debug events are used by support technicians or engineers to debug the current system.
IP Address	The IP address of the Platform Agent that logged the event. By default, Novell Audit stores IP address values in network byte order.
Client Timestamp	The time the Platform Agent received the event from the logging application.
ClientMS	The event count field. When a logging application makes a connection to the Platform Agent, the Secure Logging Server begins counting the events the come over that connection. The count begins at 0 for the initial event and increments by one for every event. If the logging application is restarted, the event count is reset to 0. Novell Audit Report uses this field to determine how many events are missing if the event signatures are not to valid. For more information, see Section 8.2.7, Verifying Event Authenticity in Novell Audit Report.
Server Timestamp	The time the logging server received the event.
Text1	The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event’s Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see CVR Channel Driver.
Text2	The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text2 field is vital to the function of the CVR driver. The CVR driver looks in the event’s Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see CVR Channel Driver.
Text3	The value of this field depends upon the event. It can contain any text string up to 255 characters.
Value1	The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
Value2	The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
Value3	The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
Mime hint	This field identifies the type of data contained in the Data field.
Target	This field captures the event target. All eDirectory events store the event’s object in the Target field.
Target Type	This field specifies which predefined format the target and originator are represented in. Defined values for this type are currently: 0: None 1: Slash Notation 2: Dot Notation 3: LDAP Notation
Originator	This field captures who or what caused the event to happen.
Originator Type	This field specifies which predefined format the target and originator are represented in. Defined values for this type are currently: 0: None 1: Slash Notation 2: Dot Notation 3: LDAP Notation
Sub Target	This field captures the sub-component of the target which was affected by the event. All eDirectory events store the event’s attribute in the Sub Target field.
Data Size	This field identifies the size of the data contained in the Data field.
Data	The value of this field depends upon the event. The default size of this field is 3072 characters. You can configure the size of this field in the LogMaxBigData value in logevent.cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see Logevent. The maximum size of the Data field is defined by the database where the data is logged. Thus the size varies for each database that is used. If the size of the data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field. If an event has more data than can be stored in the String and Numeric Value fields, it is possible to store up to 3 KB of binary data in the Data field.
Signature	The event signature. Novell Audit digitally signs each event that is logged to the data store. To sign an event, the logging application or the Platform Agent hashes the event data and signs the hash with the Logging Application’s private key. The signature is then stored as part of the event. This signature allows the auditor or investigator to determine if an event has been changed. If event chaining is enabled, each event’s signature includes its own data as well as the signature from the previous event. This allows auditors to determine if an event has been deleted or if the sequence of events has been changed. Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on configuring this option, see Logevent. For information on validating events in Novell Audit Report, see Section 8.2.7, Verifying Event Authenticity in Novell Audit Report.