Help banner

Event Structure

All events logged through Nsure Audit have a fixed set of fields. Depending on the amount of information stored in each field, events can be as large as 4.5 KB.

The following diagram calls out the field elements that make up a logged event. It also indicates the maximum size of each field.

Refer to the table for an explanation of each field element.

Event Field

Description

Component

The component string is formatted like a DOS pathname, with a back slash ( \ ) separating component parts.

For example:

\eDirectory\Database\Lookup

\iChain\Connection Manager\Authentication

\NetMail\POP3\Authentication

The first part of the component string is the Application Identifier. The Application Identifier is stored in the application’s certificate. When the Secure Logging Server authenticates an application’s connection with the Platform Agent, it associates the Application Identifier with that connection. Thereafter, it automatically adds the Application Identifier to the component string for every event coming from that connection.

For more information on application certificates and authentication, see the Novell Nsure Audit Administration Guide.

NOTE: The Application Identifer is also stored in the Application object. For more information, see Creating and Configuring Application Objects.

The subsequent portions of the component string are defined by the application. Typically, they identify modules within the application, types of events, etc.

The intent of the component string is to facilitate queries across various products and events. For example, using wildcard characters, you can search for all iChain violations (\ichain\*\violations), all iChain events (\ichain\*), or violations from every logging application (*\violations).

 

Event ID

The event ID is comprised of two elements.

The HiWord is the numerical Application ID assigned to the current application. All Application IDs are assigned through Novell Developer Support and are maintained in the Nsure Audit central registry.

NOTE: Before instrumenting a new application, developers should obtain an AppID through Novell Developer Support.

The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, these values are assigned in ascending order.

For more information, see the Novell Nsure Audit SDK.

 

Group ID

An ID that can be used to identify related events.

For example, the NetMail instrumentation of Nsure Audit uses this field to store the temporary filename assigned to each message as it passes through the message queue. By sorting on the Group ID, NetMail administrators can view all events that occurred as that particular message passed through the message queue.

 

Log Level (Severity)

The log level is an indicator of the severity of the reported event.

  • Emergency events cause the system to shutdown

  • Alert events require immediate attention

  • Critical events may cause parts of the system to malfunction

  • Error events are errors that can be handled by the system

  • LE_WARNING Negative events not representing a problem

  • LE_NOTICE Events (positive or negative) an administrator can use to understand or improve use and operation of the current system

  • LE_INFO Positive events of any importance

  • LE_DEBUG Events of relevance for support or engineers to debug operation of the current system

 

IP Address

The IP address of the Platform Agent that logged the event.

 

Client
Timestamp

The time the Platform Agent received the event from the logging application.

 

Server Timestamp

The time the logging server received the event.

 

Text1

The value of this field depends upon the event. It may contain any text string up to 255 characters.

NOTE: The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event’s Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see CVR Channel.

 

Text2

The value of this field depends upon the event. It may contain any text string up to 255 characters.

NOTE: The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event’s Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see CVR Channel.

 

Value1

The value of this field depends upon the event. It may contain any numeric value up to 32 bits.

 

Value2

The value of this field depends upon the event. It may contain any numeric value up to 32 bits.

 

Mime hint

This field identifies the type of data contained in the Data field.

 

Data size

This field identifies the size of the data contained in the Data field.

 

Data

The value of this field depends upon the event.

If an event has more data than can be stored in the String and Numeric Value fields, it is possible to store up to 3 KB of binary data in the Data field.

 

For more information on event and format variables, see Event Variables.

For more information on using Nsure Audit, see Nsure Audit Help.

A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.