ID Number: Q63409
2.00
OS/2
Question:
How do the audit event types (AE_types) map to the list of events
audited on the server?
Response:
The audit events map to the AE_types, as illustrated in the following
table. The enabling of auditing of a given event allows the server to
generate the corresponding AE_type entries in the audit trail.
Event Name Event Bitmask AE_types
---------- ------------- --------
service SVAUD_SERVICE AE_SRVSTATUS, AE_SERVICESTAT
goodsesslogon SVAUD_GOODSESSLOGON AE_SESSLOGON, AE_SESSLOGOFF
badsesslogon SVAUD_BADSESSLOGON AE_SESSPWERR, AE_SESSLOGOFF
sesslogon SVAUD_SESSLOGON AE_SESSLOGON, AE_SESSLOGOFF,
AE_SESSPWERR
goodnetlogon SVAUD_GOODNETLOGON Not audited
badnetlogon SVAUD_BADNETLOGON Audited as badsesslogon
netlogon SVAUD_NETLOGON Only audited at badsesslogon
logon SVAUD_LOGON AE_SESSLOGON, AE_SESSLOGOFF,
AE_SESSPWERR, AE_NETTLOGON,
AE_NETLOGOFF, AE_NETLOGDENIED
gooduse SVAUD_GOODUSE AE_CONNSTART, AE_CONNSTOP
baduse SVAUD_BADUSE AE_CONNREJ, AE_CONNSTOP
use SVAUD_USE AE_CONNSTART, AE_CONNSTOP,
AE_CONNREJ
userlist SVAUD_USERLIST AE_UASMOD
permissions SVAUD_PERMISSIONS AE_ACLMOD
resource SVAUD_RESOURCE AE_RESACCESS, AE_RESACCESSREJ,
AE_CLOSEFILE
logonlimit SVAUD_LOGONLIM AE_ACCLIMITEXCD
Please note that if auditing is enabled, the server start is audited,
regardless of how the auditing switches are set.