12.8.2 Format and output items of common format audit trail files
This subsection explains the format of common format audit trail files. Audit trail information converted by the adbconvertaudittrailfile command is output to these files.
When the adbconvertaudittrailfile command is executed, audit trail information is output to a common format audit trail file in the format in which a single audit trail is output per line. In a common format audit trail file, a blank line is output before the first audit trail is output.
The following shows the format and output items of audit trail information that is converted by the adbconvertaudittrailfile command and is output to a common format audit trail file.
- ■ Output format of audit trail information converted by the adbconvertaudittrailfile command
-
CALFHM 1.0,item1=value1,item2=value2,item3=value3,...itemn=valuen
- ■ Output items of audit trail information converted by the adbconvertaudittrailfile command
-
The following table lists the items that are output to audit trail information converted by the adbconvertaudittrailfile command.
Note that the ADB_AUDITREAD function can also convert the audit trail information in an audit trail file. Most of the items output to the conversion results of the adbconvertaudittrailfile command are the same as the items output when the function converts the information to a dataset in tabular format (as a table function derived table). For details about the column configuration of a table function derived table generated by the ADB_AUDITREAD function, see 12.9.2 Column structure of table function derived table when retrieving audit trails.
If the data of an output item is longer than the maximum length of that output item, the heading or trailing bytes are omitted. The omitted part of data is indicated as an ellipsis (...). For the output items in the following table, unless otherwise specified, the trailing bytes are omitted if data is too long.
If the data to be output to an output item is NULL, the output item itself is omitted.
|
No. |
Output item |
Information that is output |
Corresponding column name in the table function derived table converted by the ADB_AUDITREAD function |
||
|---|---|---|---|---|---|
|
Type |
Item name |
Attribute name |
|||
|
1 |
Header information |
Common specification identifier |
-- |
The string CALFHM is output. This string is output before the first item of all audit trails in common format audit trail files. |
None |
|
2 |
Common specification revision number |
-- |
The string 1.0 is output. This string is output before the first item of all audit trails in common format audit trail files. |
None |
|
|
3 |
Common information |
Sequence number |
seqnum |
A sequence number in the range from 1 to 2,147,483,647 is output on each output line. If the value exceeds the maximum, the value is reset to 1. The value is also reset to 1 each time the adbconvertaudittrailfile command is executed. |
None |
|
4 |
Message ID |
msgid |
The value of the EXIT_STATUS column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. |
EXIT_STATUS |
|
|
5 |
Date and time |
date |
The value of the EXEC_TIME column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output in the following format:
|
EXEC_TIME |
|
|
6 |
Name of the relevant program |
progid |
The string HADB is output. |
None |
|
|
7 |
Name of the relevant component |
compid |
The value of the ADBDIR column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output within 64 bytes. If the data to be output is longer than 64 bytes, the heading bytes are omitted. A value is output including escape characters.#2 |
ADBDIR |
|
|
8 |
ID of the relevant process |
pid |
The value of the HADB_PROCESS_ID column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. |
HADB_PROCESS_ID |
|
|
9 |
Location |
ocp:host |
The value of the HADB_HOST_NAME column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output within 64 bytes. |
HADB_HOST_NAME |
|
|
10 |
Event type |
ctgry |
The value of the EVENT_SUBTYPE column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output after being converted into the type as defined by the common format. For details about conversion, see Table 12‒6: Correspondence between the event subtype values and audit event type values. |
EVENT_SUBTYPE |
|
|
11 |
Event result |
result |
The value of the EVENT_RESULT column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. |
EVENT_RESULT |
|
|
12 |
Subject identification information |
subj:uid |
The value of the USER_NAME column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. Note that this item is not output if the value of the USER_NAME column is NULL. |
USER_NAME |
|
|
13 |
subj:euid |
The value of the OS_USER_NAME column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output within 100 bytes. Note that this item is output only if the value of the USER_NAME column is NULL. |
OS_USER_NAME |
||
|
14 |
For this item, an asterisk (*) is output if the values of both the OS_USER_NAME and USER_NAME columns in Table 12‒10: Column structure of table function derived table when retrieving audit trails are NULL. |
None |
|||
|
15 |
Specific information |
Object information |
obj |
The value into which the values of the OBJECT_SCHEMA_NAME and OBJECT_NAME columns in Table 12‒10: Column structure of table function derived table when retrieving audit trails are concatenated is output. For details about the output format, see Table 12‒7: Output format for object information. A value is output including escape characters.#2 |
|
|
16 |
Operating information |
op |
The value of the EVENT_SUBTYPE column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output within 32 bytes. A value is output including escape characters.#2 |
EVENT_SUBTYPE |
|
|
17 |
Request-originating host |
from:ipv4 |
The value of the CLIENT_IP_ADDRESS column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. |
CLIENT_IP_ADDRESS |
|
|
18 |
Request-originating port number |
from:port |
The value of the CLIENT_PORT_NUMBER column in Table 12‒10: Column structure of table function derived table when retrieving audit trails is output. |
CLIENT_PORT_NUMBER |
|
|
19 |
Message |
msg |
The name of the conversion-source audit trail file is output. The directory names are not included. A value is output including escape characters.#2 |
None |
|
- Legend:
-
--: Not applicable.
- #1
-
The offset from UTC (Coordinated Universal Time) is indicated as the time zone. One of the following values is output:
-
+hh:mm
Indicates that the time is ahead of UTC (Coordinated Universal Time) by hh:mm.
-
-hh:mm
Indicates that the time is behind of UTC (Coordinated Universal Time) by hh:mm.
-
Z
Indicates that the time is the same as UTC (Coordinated Universal Time).
For example, JST (Japan Standard Time) is output as +09:00.
-
- #2
-
A value that includes escape characters is enclosed by double quotation marks ("). A double quotation mark (") included as an ordinary character in an output value is replaced by two double quotation marks ("").
The double quotation marks (") enclosing a value that includes escape characters are included in the data length. Therefore, if the total length of data to be output and the double quotation marks (") added as a result of escaping is longer than the maximum, the heading or trailing bytes of the data are omitted.
The following table shows the correspondence between the event subtype values of HADB audit trails and the audit event type values in common format.
|
No. |
Event category |
Event type |
Event subtype value output in audit trails |
Audit event type value in common format |
|---|---|---|---|---|
|
1 |
Mandatory audit event |
System event |
ADBSTART |
StartStop |
|
2 |
ADBSTOP |
|||
|
3 |
ADBCHGSRVMODE |
ConfigurationAccess |
||
|
4 |
ADBCHGNODETYPE |
|||
|
5 |
ADBCHGSQLTRC |
|||
|
6 |
ADBCLIENTDEFMANG |
|||
|
7 |
ADBMODAREA |
|||
|
8 |
ADBMODBUFF |
|||
|
9 |
ADBCOLUMNIZE |
|||
|
10 |
Audit event |
GRANT |
AccessControl |
|
|
11 |
REVOKE |
|||
|
12 |
CREATE AUDIT |
ConfigurationAccess |
||
|
13 |
DROP AUDIT |
|||
|
14 |
ALTER USER |
AccessControl |
||
|
15 |
ADBAUDITTRAIL START |
ConfigurationAccess |
||
|
16 |
ADBAUDITTRAIL STOP |
|||
|
17 |
ADBAUDITTRAIL SWAP |
|||
|
18 |
ADBAUDITTRAIL DISPLAY |
|||
|
19 |
SELECT |
ContentAccess |
||
|
20 |
ADBEXPORT |
|||
|
21 |
ADBCONVERTAUDITTRAILFILE |
|||
|
22 |
Optional audit event |
Session event |
CONNECT |
Authentication |
|
23 |
DISCONNECT |
|||
|
24 |
Privilege management event |
GRANT |
AccessControl |
|
|
25 |
REVOKE |
|||
|
26 |
CREATE USER |
|||
|
27 |
DROP USER |
|||
|
28 |
ALTER USER |
|||
|
29 |
Definition SQL event |
CREATE INDEX |
ContentAccess |
|
|
30 |
CREATE SCHEMA |
|||
|
31 |
CREATE TABLE |
|||
|
32 |
CREATE VIEW |
|||
|
33 |
DROP INDEX |
|||
|
34 |
DROP SCHEMA |
|||
|
35 |
DROP TABLE |
|||
|
36 |
DROP VIEW |
|||
|
37 |
ALTER TABLE |
|||
|
38 |
ALTER VIEW |
|||
|
39 |
Data manipulation SQL event |
SELECT |
||
|
40 |
INSERT |
|||
|
41 |
UPDATE |
|||
|
42 |
DELETE |
|||
|
43 |
TRUNCATE TABLE |
|||
|
44 |
PURGE CHUNK |
|||
|
45 |
UNKNOWN |
|||
|
46 |
GETDATA |
|||
|
47 |
GETCOUNT |
|||
|
48 |
TABLES |
|||
|
49 |
COLUMNS |
|||
|
50 |
INDEXES |
|||
|
51 |
CHUNKS |
|||
|
52 |
GETUSER |
|||
|
53 |
Command operation event |
ADBIMPORT |
||
|
54 |
ADBIDXREBUILD |
|||
|
55 |
ADBGETCST |
|||
|
56 |
ADBDBSTATUS |
|||
|
57 |
ADBEXPORT |
|||
|
58 |
ADBMERGECHUNK |
|||
|
59 |
ADBCHGCHUNKCOMMENT |
|||
|
60 |
ADBCHGCHUNKSTATUS |
|||
|
61 |
ADBARCHIVECHUNK |
|||
|
62 |
ADBUNARCHIVECHUNK |
|||
|
63 |
ADBREORGSYSTEMDATA |
|||
|
64 |
ADBSYNDICT |
The following table shows the output formats that can be used for object information. Object information is output in one of these formats according to the values of the OBJECT_SCHEMA_NAME and OBJECT_NAME columns.
|
No. |
OBJECT_SCHEMA_NAME column |
OBJECT_NAME column |
Format |
Output example |
|---|---|---|---|---|
|
1 |
Non-null value |
Non-null value |
The values of the OBJECT_SCHEMA_NAME and OBJECT_NAME columns are concatenated with an intervening period (.). |
obj="ADBUSER01.T1" |
|
2 |
Null value |
Non-null value |
Only the value of the OBJECT_NAME column is output. |
obj="ADBUSER01"# |
|
3 |
Null value |
Null value |
No object information is output. |
-- |
- Legend:
-
--: Not applicable.
- #
-
This is an output example when the CREATE SCHEMA statement is used. In this example, a schema name is output to the OBJECT_NAME column.