The auditing functions are obsolete on Windows NT. Windows NT uses an integrated event logging mechanism for reporting both audits and errors. The NetAudit and NetErrorLog functions are provided to access LAN Manager 2.x logs. They will report ERROR_NOT_SUPPORTED if called on a Windows NT system.
The auditing functions are:
Auditing functions control the audit log on a LAN Manager computer. Auditing functions monitor operations on the specified server. If auditing is enabled, each monitored operation generates an audit entry. For example, when a user establishes a connection to the server, a single audit entry is generated.
Audit entries are stored in a binary file called an audit trail or audit log. All Auditing functions perform their operations on this file. LAN Manager defines many types of audit entries.
NetAuditRead reads the audit log. NetAuditClear clears the audit log.
Data Structures
All audit entries include a fixed-length header used in conjunction with variable-length data specific to the entry type. Because of the variable lengths and structures of the ae_data element of the audit entry (it is possible for ae_data to be zero bytes), only the fixed header is defined in the AUDIT_ENTRY structure.
The variable-length portion of the audit entry can contain an offset to a variable-length Unicode string. The offset values are DWORDs. To determine the value of the pointer to this string, add the offset value to the address of ae_data.
The following example illustrates this procedure. Assume that pAE points to a buffer that contains a complete audit entry and that the ae_type member of the AUDIT_ENTRY structure contains the value AE_CONNSTOP, which specifies the predefined AE_CONNSTOP structure. To point the variable pszComputerName to the Unicode string that contains the name of the client whose connection was stopped, an application would perform the following algorithm:
PAUDIT_ENTRY pAE; // Fixed part of audit entry
LPAE_CONNSTOP pAEvar; // Variable-length structure
LPWSTR pszComputerName; // Pointer to var-length string
// Calculate the offset to the variable-length structure.
pAEvar = (_LPAE_CONNSTOP) (((LPBYTE) pAE) + pAE->ae_data_offset);
// Calculate the offset to the computername.
pszComputerName = ((LPBYTE) pAEvar) + pAEvar->ae_cp_compname;
The following structures are specific to the audit entry type The structures follow the AUDIT_ENTRY header, but they are not necessarily contiguous.