Audit Data Tables

The tables in this section summarize the content of the Audit Global Header and Audit Records tables.

Field name

Type

Length
(in bytes)

Field Description

Magic

uint32 (1)

4

If the audit is done in a file, Magic is used to identify the file.

MAC

byte (2)

64

Global MAC of the entire audit trail. It is computed by ActivID CMS. Only a classic HID Global MAC (using SHA-1 digest function) and a constant secret (no derivation) are supported.

Version

uint32

4

Gives the version of the audit system that generates the record. Implicitly gives its format (e.g., 0x00010000)

MACAlgo

byte

2

Gives the MAC method used for MACing the global audit trail (global MAC). The global MAC is computed with the concatenation of Audit Global Header fields following the MAC entry + MAC of the last record + Global MAC Secret. The Global MAC Secret is constant (no derivation).

MACMethod

byte

2

MAC method used for MACing the global audit trail.

RecordMACAlgo

byte

2

MAC algorithm used for MACing the individual records.

RecordMACMethod

byte

2

MAC method used for MACing the individual records. The Record MAC is computed with the concatenation of Audit Record fields following the MAC entry + MAC of the previous record (0 if none) + Record MAC Secret. The Record MAC secret is constant (no derivation).

MACSecretID

int32 (3)

4

Identifier of the secret key used to MAC the global audit trail.

RecordMACSecretID

int32

4

Identifier of the secret key used to MAC the individual records.

LastEventNumber

uint32

4

Number of the last event recorded and MACed in this audit trail. The next inserted event number = LastEventNumber + 1.

FirstEventNumber

uint32

4

Number of the first event recorded and MACed in the trail. Normally starts at 1; if the trail is backed up, the trail can restart at an event number > 1.

MACseed

byte

48

MAC value used to compute the MAC of the first record in the trail. Record MAC can be computed by using the MAC of the previous record concatenated with the actual record and a secret. This seed is full 0 for a brand new trail or will contain the MAC of the FirstEventNumber -1 if it is a continued audit trail.

ResNum1

int32

4

RFU field

ResNum2

int32

4

RFU field

ResByte1

byte

254

RFU field

ResByte2

byte

254

RFU field

ServerID

Nvarchar (4)

254

Name of the ActivID CMS server machine

HeaderMAC

Nvarchar

96

MAC value of the Header

HeaderNumber

Int (5)

4

-

(1) uint32 – unsigned integer (32 bits)

(2) byte – unsigned char (8 bits)

(3) int32 – signed integer (32 bits)

(4) Nvarchar – number of bits = <number of characters> x 16 bits

(5) Int – integer (16 bits)

Field name

Type

Length
(in bytes)

Field Description

MAC

Str (6)

64

The MAC of the entire audit record.

EventNumber

Nb (7)

4

Number of the event. This number is added by ActivID CMS. It is a counter that always increments and is guaranteed to be unique for a given audit trail.

TimeStamps

Date

8

The date and time of the event added by ActivID CMS when it processes the event. The time is recorded as the number of milliseconds since January 1, 1970, 00:00:00 GMT, and uses internally a SQL DateTime data type.

EventID

Nb

4

Identifier of the logged event, that is, a number that uniquely identifies the action logged.

EventDescription

Str

96

A string briefly describing the event.

EventSourceProgram

Str

16

Originating Program; a string that identifies the program which is at the origin of the logged operation and which produces the event (e.g., AuditServer).

EventSourceAddress

Str

15

IP address of the machine where the Originating Program (EventSourceProgram) runs.

EventSeverityLevel (8)

Nb

4

Type and severity of the event (Information, Warning, Error…etc.).

ErrorNumber

Nb

4

Error number if any. Error number only exists when EventSeverityLevel is equal to Warning, Error, Alert or Failure audit.

ErrorDescription

Str

96

Short text description of the error, if any.

ClientAddress

Str

15

IP address of the client machine where the operation is performed.

ClientID

Str

72

Identifier of the device (CUID) onto which the operation is done.

OperatorID (9)

Str

72

Identifier of the operator that performs the operation. Typically, the operator is identified by the operator name defined during operator enrollment.

AdditionalInfoNum1

Nb

192

Additional numeric information for the event.

AdditionalInfoNum2

Nb

192

Additional numeric information for the event.

AdditionalInfoChar1

Str

64

Additional string information for the event. When the ClientID contains the device CUID, AdditionalInfoChar1 starts with the device type (e.g., Multos, OP 2.0).

AdditionalInfoChar2

Str

64

Additional string information for the event.

ApplicationSessionID

Varchar (10)

64

Session ID of the Application

HeaderNumber

Int (5)

4

-

EventType

Varchar

64

Type of event that has been generated

(6) Str – String

(7) Nb – Number

(8)EventSeverityLevel – gives the severity level assigned to the event. There are 6 levels of severity:

  • 100 – Information: Infrequent, but significant successful operations (e.g., ActivEngine successfully started).

  • 200 – Warning: Problems that are not significant, but may foretell future errors or other problems.

  • 301 – Error: Significant problems which may indicate a loss of functionality or data (e.g., ActivEngine fails to start).

  • 401 – Alert: Urgent conditions that need immediate correction.

  • 500 – Success audit: Security events that occur when an access attempt is successful (e.g., successful authentication attempt).

  • 601 – Failure audit: Security events that occur when an access attempt fails (e.g., failed authentication attempt).

(9) Depending on the context, the OperatorID values are the following:

OperatorID

Operator Portal

User Portal

CCM API

<Operator name>

All except for LogonSSL event at device synchronization start

Never

All except during device synchronization

Unknown Operator

LogonSSL failed event

Never

LogonSSL failed event
User Never

All except during device synchronization

Never

CMS synch engine

LogonSSL event at device synchronization start

Device synchronization

Device synchronization
Check7Days Never Never Never
Note:  

(10)Varchar – number of bits = <number of characters> x 8 bits

Field Name

Type

Length
(in bytes)

Field Description

MAC

Str (6)

64

The MAC of the header record.

MACAlgo

byte

2

Gives the MAC method used for MACing the header record.

MACMethod

byte

2

MAC method used for MACing the header record.

MACSecretID

int32 (3)

4

Identifier of the secret key used to MAC the header record.

LastHeaderNumber

uint32

4

Number of the last header recorded and MACed in this header record. The next inserted header number = LastEventNumber + 1.

FirstHeaderNumber

uint32

4

Number of the first header recorded and MACed in this header record. Normally starts at 1; if the trail is backed up, the trail can restart at a header number > 1.

MACseed

byte

48

MAC value used to compute the MAC of the first record in the header trail. Record MAC can be computed by using the MAC of the previous record concatenated with the actual record and a secret. This seed is full 0 for a brand new header trail or will contain the MAC of the FirstEventNumber -1 if it is a continued header trail.

Field Name

Type

Length
(in bytes)

Field Description

SPA_CODE

Varchar (10)

64

The parameter code

SPA_VALUE

Varchar

128

The parameter value

SPA_DESCRIPTION

Varchar

128

The parameter description

This table contains two values:

Code

Value Description

PRODUC_VERSION

The audit software version: 2.0

DATABASE_VERSION

The database schema version: 3

Field Name

Type

Length
(in bytes)

Field Description

MAC

Str (6)

64

The MAC of the entire audit record.

SecretID

int32 (3)

4

Identifier of the secret key.

SecretKey

Varchar (10)

64

The secret key.