3.7.4 Information output to audit logs

Organization of this subsection
(1) Audit log output format
(2) Output example and output items

(1) Audit log output format

Entries are output to an audit log in the following format:

CALFHM 1.0,output-item-1=value-1, output-item-2=value-2, ... output-item-n=value-n

The string CALFHM 1.0 serves as header information, and is output for all audit log entries.

(2) Output example and output items

The following is an example of audit log output:

CALFHM 1.0, seqnum=1, msgid=KFCA33400-I,
date=2007-10-30T16:09:59.884+09:00, progid=OpenTP1, compid=adm, pid=11600,
ocp:ipv4=192.112.100.10, ctgry=StartStop, result=Success,
subj:euid="tp1user", obj="smpl", op=Start, loc="/OpenTP1", msg="User tp1user
started OpenTP1(smpl)."

The following table lists the items entered in an audit log file.

Table 3-12 Items output to audit log file

Item nameMeaningContentCommon or program-specific#1
seqnumSequence numberA process-specific sequence number assigned to audit logsCommon information
msgidMessage IDThe message ID
dateDate and timeThe date and time when the message was output, in the following format: YYYY-MM-DDThh:mm:ss.sssTZD
YYYY: Year
MM: Month
DD: Day
T: delimiter between date and time
hh: Hours
mm: Minutes
ss: Seconds
sss: Milliseconds
TZD: Timezone#2
progidSource programThe character string OpenTP1
compidSource componentThe name of the component where the event occurred. Audit logs acquired from a UAP by an API which outputs audit logs have the format *AA, where AA is the value specified in the API. Audit logs that do not begin with * are output by OpenTP1.
pidProcess IDThe ID of the process associated with the event
ocp:hostSource locationThe host name or IP address of the server where the event occurred
ocp:ipv4
ctgryEvent categoryThe event category, as one of the following:
  • StartStop: Indicates that a server or service has started or stopped.
  • Authentication: Indicates that user authentication was attempted.
  • ConfigurationAccess: Indicates that a setting or aspect of system configuration has been changed.
  • AccessControl: Indicates that a user has attempted to access a managed resource, and the attempt failed or was successful.
  • Failure: Indicates a software error.
  • LinkStatus#3: Indicates the link status between devices.
  • ExternalService#3: Indicates the result of communication with an external service.
  • ContentAccess: Indicates that a user has attempted to access critical data, and whether the attempt failed.
  • Maintenance: Indicates that a maintenance-related operation was executed, and whether the operation failed.
  • AnomalyEvent: Indicates that a communication error occurred.
  • ManagementAction#3: Indicates execution of a critical action by a program, or an action triggered by another event.
resultEvent resultThe result of the event, as one of the following:
  • Success: The event was successful.
  • Failure: The event was a failure.
  • Occurrence: There is no distinction between success or failure for the event.
subj:euidSubject ID informationThe user or process that caused the event, as one of the following:
  • User name (the user ID of the OS account)
  • Process ID
subj:pid
objObject informationInformation identifying the target of the operation that generated the eventProgram-specific information
opAction informationThe type of action that generated the event, as one of the following:
  • Start: A program started.
  • Stop: A program stopped.
  • Login: Login occurred.
  • Logout#3: Logout occurred.
  • Logon#3: Logon occurred.
  • Logoff#3: Logoff occurred.
  • Refer: A setting was referenced.
  • Add#3: A setting was added.
  • Update#3: A setting was updated.
  • Delete: A setting was deleted.
  • Occur: An error or the like occurred.
  • Enforce: Processing was enforced.
  • Up#3: A link became active.
  • Down#3: A link became inactive.
  • Request#3: A request was issued.
  • Response#3: A response was issued.
  • Send#3: Information was sent.
  • Receive#3: Information was received.
  • Install#3: A program was installed.
  • Uninstall#3: A program was uninstalled.
  • Backup#3: A backup was taken.
  • Maintain: A maintenance task was performed.
  • Invoke#3: A system administrator or the like called a function.
  • Notify#3: A system administrator or the like was issued a notification.
objlocObject location informationInformation about the location of the object
from:hostRequest source hostWhen the event involves multiple programs, the host name or IP address where the request originated
from:ipv4
from:portRequest source portWhen the event involves multiple programs, the port number where the request originated
to:hostRequest destination hostWhen the event involves multiple programs, the host name or IP address where the request was directed
to:ipv4
to:portRequest destination portWhen the event involves multiple programs, the port number where the request was directed
locLocation informationThe information set in the DCDIR environment variable
msgMessageA message describing the nature of the event
#1
All the output items categorized as common information are output to the audit log. Items categorized as program-specific information may or may not be output depending on the particular circumstances.
#2
The time zone is expressed as an offset from UTC. The following explains how to interpret the time zone:
+hh:mm
Indicates a time zone hh:mm ahead of UTC.
-hh:mm
Indicates a time zone hh:mm behind UTC.
Z
Indicates a time zone equivalent to UTC.
Japan Standard Time appears as +09:00.
#3
This information is output only when an API that outputs audit logs is used to acquire audit log information from a UAP.

For details about which items are output for each type of event, see C. Information Output for Audited Events.