Audit Record Format

The format and contents of the audit event records are based on the design of Event Viewer. Event Viewer uses information from the Registry to locate message files and to determine how to present the information in an event record.

Event Viewer expects a number of event source modules to be defined as part of the security audit log information in the Registry. At least one event source module must be provided by each product that generates audit event records. For example, if a mail product is installed, that product's installation procedure needs to add its event source module information to the security log information in the Registry. A special event source module shipped with Windows NT contains default information, so that information does not have to be replicated in other event source modules.

The information defined for event source modules includes:

• Event Message File. This file contains the displayable strings for each audit event record. It includes parameter substitution markers to be replaced at viewing time with Unicode strings logged in the event record.

  Only the event source module shipped with Windows NT should define an event message file. This single event message file serves as the default for other event source modules.

• Category Message File. Categories are discussed in "Error! Reference source not found.," later in this document. Only the security event source module shipped with Windows NT should define a category message file. This single category message file serves as the default for other event source modules. In Windows NT version 3.51, this file is not actually used for auditing.
• Parameter Message File. The parameter message file is used to provide object type-specific access names. Each security event source module should (but does not have to) provide a parameter message file. If object type-specific access names are not provided by an event source module, then default names will be used (such as "Specific Access Bit 0").

When Event Viewer is asked to display an audit record, it uses the event source module name and event ID from the record to retrieve a message string for that event. This string can include parameter substitution markers and other format characters that are interpreted and acted upon by a call to FormatMessage(). For example, the string for a successful logon audit might look like:

Successful Logon: \n\t\tUser Name:\t%1 \n\t\tDomain:\t%2

Notice that this message string includes two parameter substitution markers (%1 and %2). These parameter strings are obtained from the event record. So, if Administrator logged on to a computer named ACCTG, an event record containing those two strings would be recorded. The corresponding event record in Event Viewer would look like this:

Successful Logon:
User Name: Administrator
Domain: ACCTG

Before Event Viewer formats the entire message string, it must format the individual parameter strings received in the event record. In the preceding example, the parameter strings needed no formatting. In the case of an audit generated when a file is opened for WRITE_DATA and WRITE_DAC, however, the event message might be:

Object Open:\n\t\tObject Type:\t%1\n\t\tObject
Name:\t%2\n\t\tAccesses:\t%3

and parameter strings received in the audit record might be:

Parameter string 1: "File"

Parameter string 2: "/accounting\payroll\hours_worked.dat"

Parameter string 3: "%%972\n\t\t\t\t%%1032"

The "%%" directive tells Event Viewer to look up and substitute the message specified by the number following the directive from the parameter message file for the event source module. Assuming message numbers 972 and 1032 in the message file are "Write DAC" and "Write Data" respectively, the third string will be changed to:

Write DAC\n\t\t\tWrite Data

This would cause the resultant display by Event Viewer to look like:

Object Open:
Object Type: File
Object Name: /accounting\payroll\hours_worked.dat
Accesses: Write Dac
Write Data

(This example is for illustrative purposes only and does not correspond to an actual event-record type.)