![[About]](r:\html\lsrxabout.gif)
![[Toc]](r:\html\lsrxtoc.gif)
0.9b (c) 1995 Peter Childs
The function returns read enries from the audit log.
Syntax
MyRc = NetMisc(NETAUDITLOGREAD, 'audInfo', SrvName)
Parameters
The parameters required and returned are:
'audInfo' The audit information and control variables, which is divided
into:
o audInfo.openflags
The read operation control flags. The values controlling the read
operation are:
Value Read direction
----- --------------
0 Read the oldest records in the audit log first
1 Read the newest records first
Value Record read options
----- -------------------
0 Read sequentially from the beginning
2 Read from the nth. record specified
in the audInfo.offset parameter
A value of 3 for this variable is identical to read the newest
records first and read from the record number as specified in the
audInfo.offset parameter audInfo.openflags
The default value is 0 which is identical to read the oldest records
first and read sequentially
o audInfo.offset
This parameter specifies the record number the read operation should
be starting from. It requires that the audInfo.openflags has the
value 2 included
o audInfo.buffer
The size of the internal working buffer. The value has a maximum of
64KB. The default value is 4KB.
o audInfo.resume
The audit log can be processed in multiple steps. Specify
'INITRESUME' first time and 'RESUME' in next following calls to the
procedure. See also audInfo.bytesavail
The default operation is to neglect this parameter
o audInfo.bytesavail
The audInfo.bytesavail variable returns information about the amount
if data available. It is only valid if audInfo.resume is specified.
If audInfo.bytesavail is not 0, then more data is available in the
error log. Continue to call the function with audInfo.resume equal to
'RESUME' until the parameter audInfo.bytesavail returns a 0 value
o audInfo.count
The number of audit log entries returned. The value can be 0
o audInfo.i.time
The time as the audit log entry i was inserted to the log file
o audInfo.i.type
The audit log entry type. The following types are formatted by this
function:
Value Meaning
----- -------
0 Status of server changed
1 Session logged on
2 Session logged off
3 Password error
4 Connection started
5 Connection stopped
6 Connection rejected
7 Access granted
8 Access rejected
9 File, device, or pipe closed
11 Service status code or text changed
12 Access control profile changed
13 User accounts subsystem database changed
14 User logged on to the network
15 User logged off of the network
16 Network logon denied
17 Account limit exceeded
18 Access granted
19 Access control list (ACL) change failed
For types outside the list above, only values for the audInfo.time
and audInfo.type are returned
o audInfo.i.numparms
The number of parameters related to the audit entry. The value
returned has a value of 0 to 7. It is used for the returned parameter
values of audInfo.i.n, where the n has a value of 1 to 7. In the case
of addInfo.i.numparms equal to 0, the audInfo.i.n is not defined
o audInfo.i.n
The returned audit entry parameter value. Use the following to
interpret the values:
- If audInfo.i.type is 0, then audInfo.i.numparms is 1
The audit entry parameter value (audInfo.i.1) is:
Value Meaning
----- -------
0 Server software started
1 Server software paused
2 Server software restarted
3 Server software stopped
- If audInfo.i.type is 1, then audInfo.i.numparms is 3
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the privilege. The following values will be returned:
Value Meaning
----- -------
0 Guest
1 User
2 Administrator
- If audInfo.i.type is 2, then audInfo.i.numparms is 3
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the reason why the session was disconnected. The
following values will be returned:
Value Meaning
----- -------
0 Normal disconnection or user name limit
1 Error, session disconnect, or bad password
2 Autodisconnect (timeout), share removed, or
administrative permissions required
3 Administrative disconnection (forced)
4 Forced off by account system because of account
restriction, such as logon hours
- If audInfo.i.type is 3, then audInfo.i.numparms is 2
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
- If audInfo.i.type is 4, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the netname of the resource with which the connection
was made
audInfo.i.4, the connection identification number
- If audInfo.i.type is 5, then audInfo.i.numparms is 5
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the netname of the resource with which the connection
was made
audInfo.i.4, the connection identification number
audInfo.i.5, the reason why the session was disconnected. The
following values are returned:
Value Meaning
----- -------
0 Normal disconnection, or user name limit
1 Error, session disconnect, or bad password
2 Autodisconnect (timeout), share removed, or
administrative permissions lacking
- If audInfo.i.type is 6, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the netname of the resource with which the connection
was made
audInfo.i.4, the reason why the session was disconnected. The
following values are returned:
Value Meaning
----- -------
0 Normal disconnection, or user name limit
1 Error, session disconnect, or bad password
2 Autodisconnect (timeout), share removed, or
administrative permissions lacking
3 No access permissions to shared resource
- If audInfo.i.type is 7, then audInfo.i.numparms is 7
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the resource accessed
audInfo.i.4, the operation on the resource.
Value Meaning
----- -------
A Attribute, the attributes of a resource were changed
R Read, data was read or run from a resource
W Write, data was written to a resource
C Create, an instance of the resource
(such as a file) was created; data may have been
written to the resource while the resource was
being created
X Execute, a resource was run
D Delete, a resource was deleted
P Permissions, the permissions (read, write, create,
execute, and delete) of a resource for a user or
application were changed
audInfo.i.5, the return code from the particular operation. If 0,
the operation was successful
audInfo.i.6, the server message block (SMB) request function code
audInfo.i.7, the server identification number of a file
- If audInfo.i.type is 8, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the resource accessed
audInfo.i.4, the operation on the resource.
Value Meaning
----- -------
A Attribute, the attributes of a resource were changed
R Read, data was read or run from a resource
W Write, data was written to a resource
C Create, an instance of the resource
(such as a file) was created; data may have been
written to the resource while the resource was
being created
X Execute, a resource was run
D Delete, a resource was deleted
P Permissions, the permissions (read, write, create,
execute, and delete) of a resource for a user or
application were changed
- If audInfo.i.type is 9, then audInfo.i.numparms is 6
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the resource accessed
audInfo.i.4, the identification number of the file
audInfo.i.5, specifies how many seconds the resource was used
audInfo.i.6, the reason why the session was disconnected. The
following values are returned:
Value Meaning
----- -------
0 Normal client disconnection
1 Session disconnection
2 Administrative disconnection
- If audInfo.i.type is 11, then audInfo.i.numparms is 7
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the service
audInfo.i.4, the service status being set
Value Meaning
----- -------
0 Service start
1 Service paused
2 Service resumed
3 Service stopped
audInfo.i.5, the service code being set
audInfo.i.6, the text being set
audInfo.i.7, the return value
- If audInfo.i.type is 12, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of a resource that owns the accessed files
audInfo.i.4, the action performed on the access control profile
record. The following values are defined:
Value Meaning
----- -------
0 Change
1 Deletion
2 Addition
9 Unsuccessful password change attempt
(valid only for user record)
- If audInfo.i.type is 13, then audInfo.i.numparms is 5
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of a resource that owns the accessed files
audInfo.i.4, the type of UAS record, defined as follows:
Value Meaning
----- -------
0 User record
1 Group record
2 UAS modals
audInfo.i.5, the action performed on the UAS record, defined as
follows:
Value Meaning
----- -------
0 Change
1 Deletion
2 Addition
- If audInfo.i.type is 14, then audInfo.i.numparms is 3
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the privilege of the user logging on, defined as
follows:
Value Meaning
----- -------
0 Guest account
1 User account
2 Administrator
- If audInfo.i.type is 15, then audInfo.i.numparms is 2
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
- If audInfo.i.type is 16, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the reason for logon denial, defined as follows:
Value Meaning
----- -------
0 General access denied
1 Incorrect password
4 Forced off by account system because of account
restriction, such as logon hours
9 User ID does not exist
audInfo.i.4, the detail of the reason for denial. When audInfo.i.3
has the value 4, one of the following is true:
Value Meaning
----- -------
0 Unknown or unavailable
1 Logon hours
2 Account expired
3 Requester ID not valid
4 Account disabled
- If audInfo.i.type is 17, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the resource
audInfo.i.4, the limit that was exceeded, defined as follows:
Value Meaning
----- -------
0 Unknown or unavailable
1 Logon hours
2 Account expired
- If audInfo.i.type is 18, then audInfo.i.numparms is 7
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of the resource accessed
audInfo.i.4, the operation on the resource.
Value Meaning
----- -------
A Attribute, the attributes of a resource were changed
R Read, data was read or run from a resource
W Write, data was written to a resource
C Create, an instance of the resource
(such as a file) was created; data may have been
written to the resource while the resource was
being created
X Execute, a resource was run
D Delete, a resource was deleted
P Permissions, the permissions (read, write, create,
execute, and delete) of a resource for a user or
application were changed
audInfo.i.5, the return code from the particular operation. If 0,
the operation was successful
audInfo.i.6, the server message block (SMB) request function code
audInfo.i.7, the server identification number of a file
- If audInfo.i.type is 19, then audInfo.i.numparms is 4
The audit entry parameter values are:
audInfo.i.1, a string indicating the requester that established
the session
audInfo.i.2, a string indicating the name of the user who
initiated the session. The value is '' if the user name is equal
to requester name
audInfo.i.3, the name of a resource that owns the accessed files
audInfo.i.4, the action performed on the access control profile
record. The following values are defined:
Value Meaning
----- -------
0 Change
1 Deletion
2 Addition
9 Unsuccessful password change attempt
(valid only for user record)
SrvName The computer name of the server to perform the operation on.
Use the value '' for a local computer
Example
/* Read audit log entries on server */
call RxFuncAdd 'LoadLsRxutFuncs', 'LSRXUT', 'LoadLsRxutFuncs'
call LoadLsRxutFuncs
NETAUDITLOGREAD = 590
SrvName = '\\DOMAIN_CONTRLR'
audInfo.resume = 'INITRESUME'
audInfo.bytesavail = 1
exitRc = 0
do while audInfo.bytesavail <> 0
myRc = NetMisc(NETAUDITLOGREAD, 'audInfo', SrvName)
if myRc <> '0' then do
say 'Got error from NetMisc() ' myRc
exitRc = 9
audInfo.bytesavail = 0
end
else do
audInfo.resume = 'RESUME'
say '---------New read----------'
say 'Bytes available: ' audInfo.bytesavail
say 'Number of entries:' audInfo.count
do i = 1 to audInfo.count
say
say 'Time: ' LEFT(audInfo.i.time,24)
say 'Audit Entry Type:' audInfo.i.type
say 'Number parms: ' audInfo.i.numparms
do j = 1 to audInfo.i.numparms
say audInfo.i.j
end
end
end
end
call DropLsRxutFuncs
call RxFuncDrop 'LoadLsRxutFuncs'
exit exitRc
Partial Example Output
---------New read---------- Bytes available: 2791 Number of entries: 75 Time: Sat Sep 17 20:39:29 1994 Audit Entry Type: 2 Number parms: 3 WEIHNACHSTMANN USERID 0 Time: Sat Sep 17 20:39:29 1994 Audit Entry Type: 1 Number parms: 3 WEIHNACHSTMANN USERID 2
Inf-HTML End Run - Successful