%SYS.Audit

Class %SYS.Audit Extends (%Persistent, %SYSTEM.Help, %XML.Adaptor) [ Inheritance = right, StorageStrategy = Audit, System = 4 ]

The auditing system allows the user to capture events which occur on the system, and log them to an audit file.

When running SQL queries on the audit log, it is helpful to use the UTCTimestamp in the WHERE clause to speed up the query, and minimize the amount of data which is returned. For example:

SELECT SystemID,AuditIndex,UTCTimeStamp,EventSource,EventType,Event,Pid,CSPSessionID,Username,Description
FROM %SYS.Audit
WHERE UTCTimeStamp BETWEEN :UTCBeginDateTime AND :UTCEndDateTime
ORDER BY UTCTimeStamp DESC, SystemID DESC, AuditIndex DESC

The UTCTimeStamp is the UTC time in ODBC format. To convert a local $H time to this format use the following:

s x=##Class(%SYS.Audit).ConvertLocalHToUTC($H)
The UTCTimeStamp which is returned as part of the record, can be converted to local time with the following:

s x=##Class(%SYS.Audit).ConvertUTCToLocal(UTCTimeStamp)

Access to all the audit class methods require the %Admin_Secure:"Use" privilege.

If you wish to modify an audit record, use the Modify() class method. If you wish to modify it using direct object you must first use the OpenAuditRecord() class method and then the %Save() method. Note that saving the object in this way also requires that the user have write access to the Audit database resource.

Parameters

SOURCECONTROL

Parameter SOURCECONTROL [ Internal ] = {"Revision path: $Id: //iris/latest/databases/sys/cls/Security/Users.xml#66 $"_$c(13,10)_"Last Change:   $DateTime: 2022/06/08 09:18:09 $"_$c(13,10)_"Changelist #:  $Change: 5432096 $"};

Properties

AuditIndex

Property AuditIndex As %BigInt;

Authentication

Property Authentication As Security.Datatype.Authentication;

Authentication method process used.

ClientExecutableName

Property ClientExecutableName As %String(MAXLEN = 128);

Executable name on the client machine.

ClientIPAddress

Property ClientIPAddress As %String(MAXLEN = 128);

IP address of the client, as passed from client. This corresponds to the ClientIPAddress in %SYS.ProcessQuery.

CSPSessionID

Property CSPSessionID As %String(MAXLEN = 16);

Session ID of the process if a CSP process.

Description

Property Description As %SYS.AuditString(MAXLEN = 128);

Description of the audit event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.

Event

Property Event As %String(MAXLEN = 64);

Name of the audit event.

EventData

Property EventData As %SYS.AuditString(MAXLEN = 16384);

EventData -- arbitrary data associated with this event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.

EventSource

Property EventSource As %String(MAXLEN = 64);

Event Source (system events all have "%System" here).

EventType

Property EventType As %String(MAXLEN = 64);

EventType.

GroupName

Property GroupName As %String(MAXLEN = 64);

Group of the audit event.

JobId

Property JobId As %String(MAXLEN = 16);

Job ID

JobNumber

Property JobNumber As %Integer [ Calculated, SqlComputeCode = { set {*}=$zb({JobId},65535,1)}, SqlComputed, SqlFieldName = JobNumber ];

Job Number

Namespace

Property Namespace As %String(MAXLEN = 128);

Namespace process was executing in.

OSUsername

Property OSUsername As %String(MAXLEN = 16);

Operating system username of process.
Username given to the process by the operating system when the process is created. When displayed, it is truncated to 16 characters. Note that the real O/S username is only returned when connecting to UNIX or VMS systems; For Windows, it will return the O/S username for a console process, but for telnet it will return the $USERNAME of the process. For client connections, it contains the O/S username of the client.

Pid

Property Pid As %String(MAXLEN = 16);

Process ID.
Note that on VMS system, the Hex pid is stored internally as a decimal value, i.e. $zh(pid).

Roles

Property Roles As %String(MAXLEN = 2048);

$ROLES value that was active when the audit event occurred.

RoutineSpec

Property RoutineSpec As %String(MAXLEN = 512);

Routine running including DB and System.

StartupClientIPAddress

Property StartupClientIPAddress As %String(MAXLEN = 128);

IP address of the client, as detected on the TCP channel by the server process. This corresponds to the StartupClientIPAddress in %SYS.ProcessQuery.

Status

Property Status As %Status [ InitialExpression = 1 ];

Any %Status variable passed into the call.

SystemID

Property SystemID As %String(MAXLEN = 128);

SystemName:ConfigurationName of where the event was generated.
This is useful when merging separate audit streams from different systems.

UserInfo

Property UserInfo As %String(MAXLEN = 64);

User info field

Username

Property Username As %SYS.AuditString(MAXLEN = 160);

Username from $Username that was active when audit event occurred.

UTCTimeStamp

Property UTCTimeStamp As %String(MAXLEN = 64);

UTC $ZTIMESTAMP value when the audit event occurred.

Methods

DescriptionLogicalToDisplay

ClassMethod DescriptionLogicalToDisplay(Description As %String) As %String [ Internal ]

EventDataLogicalToDisplay

ClassMethod EventDataLogicalToDisplay(EventData As %String) As %String [ Internal ]

NamespaceLogicalToDisplay

ClassMethod NamespaceLogicalToDisplay(Namespace As %String) As %String [ Internal ]

ApplyAuditHeader

ClassMethod ApplyAuditHeader() As %Status [ Internal ]

Apply the audit header to the audit file.
Requires %Admin_Secure:"Use" privilege.

CheckHeader

ClassMethod CheckHeader(EndDateTime As %String) As %Integer [ Internal, Private ]

Determine if any records in the audit header are prior to EndDateTime.

Convert

ClassMethod Convert(ByRef Count As %Integer) As %Status

Converts Audit records to the current IRIS format.
This is called before any of the Audit methods runs and also during an upgrade to make sure that the audit global is in the current format.
It will also check if there are any audit records in Cache' format (stored in the ^CacheAuditD global) and merge those globals into the current IRIS audit global.
Note that journaling is turned off for the process during the conversion.

Parameters:
Count (byref) - Returned count of number of audit records converted.
0 - Version already matches.
Requires %Admin_Secure:"Use" privilege.

ConvertLocalHToUTC

ClassMethod ConvertLocalHToUTC(LocalH As %String) As %String

Convert the local $H time to an ODBC format string in UTC.
When using SQL, use this function to convert a local time in $h to UTC time to use in your SELECT statement.

ConvertUTCHToLocal

ClassMethod ConvertUTCHToLocal(UTC As %String) As %String

Convert a UTCTimeStamp in ODBC format to Local Time in ODBC format.

ConvertUTCToLocal

ClassMethod ConvertUTCToLocal(UTC As %String) As %String [ Internal ]

Copy

ClassMethod Copy(ByRef NumCopied As %Integer, Namespace As %String, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") As %Status

Copy matching audit records to a defined namespace.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Namespace - Valid namespace to copy audit records to
Flags - Bit 0 - Delete audit record after copy
Return values:
NumCopied (byref) - Number of audit records copied
Requires %Admin_Secure:"Use" privilege.

CreateGlobals

ClassMethod CreateGlobals(Directory As %String) As %Status [ Internal ]

Creates the audit globals with the correct collation. Requires %Admin_Secure:"Use" privilege.

Delete

ClassMethod Delete(ByRef NumDeleted As %Integer, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*", JSONSearch As %String = "") As %Status

Delete matching audit records.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to delete, use "" to begin with the first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to delete. Audit records will be deleted up through, but not including, this value. Use "" to delete through last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
JSONSearch - String to search for in the JSON Data field Return values:
NumDeleted (byref) - Number of audit records deleted
Requires %Admin_Secure:"Use" privilege.

Erase

ClassMethod Erase(Flags As %Integer = 0) As %Status

Erase the audit file.
Flags: 0 - Erase all contents
1 - Erase and create new audit file
2 - Erase and create new audit file, treat as encryption state changed
Note that bit 1 infers that ALL data in the audit database will be deleted, not just Audit data
Requires %Admin_Secure:"Use" privilege.

Exists

ClassMethod Exists(UTCTimeStamp As %String = "", SystemID As %String = "", AuditIndex As %Integer = 0, ByRef Audit As %ObjectHandle, ByRef Status As %Status) As %Boolean

Audit record exists.
This method checks for the existence of an Audit record in the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
If Value of the method = 0 (Audit record does not exist, or some error occured)
Audit = Null
Status = Audit "x" does not exist, or other error message

If Value of the method = 1 (Audit record exists)
Audit = Object handle to Audit record
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.

Export

ClassMethod Export(FileName As %String, ByRef NumExported As %Integer, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") As %Status

Export matching records to an xml file.
Parameters:
FileName - Valid filename to copy audit records to
Flags - Bit 0 - Delete audit record after export
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Username - Comma separated list of user names to copy, "*" = All
Return values:
NumCopied (byref) - Number of audit records exported.
Note: Two audit record will get written out when this is called in case the first one is deleted as part of the export operation.
Requires %Admin_Secure:"Use" privilege.

Get

ClassMethod Get(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) As %Status

Get the Audit properties.
Parameters:
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
Properties - Array of properties
Properties("AuditIndex")
Properties("ClientExecutableName")
Properties("ClientIPAddress")
Properties("CSPSessionID")
Properties("Description")
Properties("Event")
Properties("EventData")
Properties("EventSource")
Properties("EventType")
Properties("JobId")
Properties("Namespace")
Properties("Pid")
Properties("Roles")
Properties("RoutineSpec")
Properties("StartupClientIPAddress")
Properties("SystemID")
Properties("Username")
Properties("UTCTimeStamp")
Requires %Admin_Secure:"Use" privilege.

GetAuditDatabase

ClassMethod GetAuditDatabase() As %String [ Internal ]

Get audit database (directory) using $$$GetAuditDatabase or the name of the database where we would audit to if it were turned on. Code copied from ..Erase() for use by shadowing. Requires %Admin_Secure:"Use" privilege.

GetProperties

ClassMethod GetProperties(Audit As %ObjectHandle, ByRef Properties As %String) As %Status [ Internal ]

Get the Audit properties.
Parameters:
Audit - Object handle to an audit record Properties Get the Audit properties.
Requires %Admin_Secure:"Use" privilege.

Import

ClassMethod Import(FileName As %String, ByRef NumImported As %Integer, Flags As %Integer = 0) As %Status

Import audit records from an xml file.
Parameters:
FileName - Valid filename to import audit records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Audit records may not be imported into the %SYS namespace
Requires %Admin_Secure:"Use" privilege.

Modify

ClassMethod Modify(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) As %Status

Modify an Audit record's properties.
Modifies an Audit records properties from the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, the value is not modified.
Requires %Admin_Secure:"Use" privilege.

Stop

ClassMethod Stop() As %Status [ Internal ]

Stops auditing.
Called when the system audit parameters change, and at shutdown. Do not call directly to stop auditing. Requires %Admin_Secure:"Use" privilege.

UpdateAuditFile

ClassMethod UpdateAuditFile() As %Status [ Internal ]

Start/Stop/Switch the Audit file based on the contents of the audit configuration.
Called only when the audit parameters are changed in the Security.System class. Requires %Admin_Secure:"Use" privilege.

WriteToAuditFile

ClassMethod WriteToAuditFile(Source As %String, Type As %String, Name As %String, EventData As %String, Description As %String, Force As %Integer = 0) As %Boolean [ Internal ]

Write a record to the audit file.
Used internally by the Config.* and Security.* methods.

ListExecute

ClassMethod ListExecute(ByRef %qHandle As %Binary, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*", Pids As %String = "*", Groups As %String = "*", Authentications As Security.Datatype.Authentication = "*", Flags As %Integer = 0, JSONSearch As %String = "") As %Status [ Internal ]

List all audit records, brief display, reverse order.
Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Pids - Comma separated list of Pids,VMS systems passed in Hex
Groups - Comma separated list of Groups (currently unused)
Authentication - Comma separated list of authentication types
Flags - 0=Descending (most recent first) 1=Ascending (earliest first)
JSONSearch - String to search for in the JSON Data field Requires %Admin_Secure:"Use" privilege.

ListFetch

ClassMethod ListFetch(ByRef %qHandle As %Binary, ByRef Row As %List, ByRef AtEnd As %Integer = 0) As %Status [ Internal, PlaceAfter = ListExecute ]

ListClose

ClassMethod ListClose(ByRef %qHandle As %Binary) As %Status [ Internal, PlaceAfter = ListExecute ]

ListByUserExecute

ClassMethod ListByUserExecute(ByRef %qHandle As %Binary, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*", Pids As %String = "*", Groups As %String = "*", Authentications As Security.Datatype.Authentication = "*") As %Status [ Internal ]

List audit records ordered by Username. Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.

CheckAuthentication

ClassMethod CheckAuthentication(Select, Data) As %Boolean [ Internal, SqlProc ]

ListByUserFetch

ClassMethod ListByUserFetch(ByRef %qHandle As %Binary, ByRef Row As %List, ByRef AtEnd As %Integer = 0) As %Status [ Internal, PlaceAfter = ListByUserExecute ]

ListByUserClose

ClassMethod ListByUserClose(ByRef %qHandle As %Binary) As %Status [ Internal, PlaceAfter = ListByUserExecute ]

ListByEventExecute

ClassMethod ListByEventExecute(ByRef %qHandle As %Binary, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*", Pids As %String = "*", Groups As %String = "*", Authentications As Security.Datatype.Authentication = "*") As %Status [ Internal ]

List audit records ordered by Event Source, Event Type, and Event.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.

ListByEventFetch

ClassMethod ListByEventFetch(ByRef %qHandle As %Binary, ByRef Row As %List, ByRef AtEnd As %Integer = 0) As %Status [ Internal, PlaceAfter = ListByEventExecute ]

ListByEventClose

ClassMethod ListByEventClose(ByRef %qHandle As %Binary) As %Status [ Internal, PlaceAfter = ListByEventExecute ]

ListByPidExecute

ClassMethod ListByPidExecute(ByRef %qHandle As %Binary, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*", Pids As %String = "*", Groups As %String = "*", Authentications As Security.Datatype.Authentication = "*") As %Status [ Internal ]

List audit records ordered by Pid.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.

ListByPidFetch

ClassMethod ListByPidFetch(ByRef %qHandle As %Binary, ByRef Row As %List, ByRef AtEnd As %Integer = 0) As %Status [ Internal, PlaceAfter = ListByPidExecute ]

ListByPidClose

ClassMethod ListByPidClose(ByRef %qHandle As %Binary) As %Status [ Internal, PlaceAfter = ListByPidExecute ]

OpenAuditItem

ClassMethod OpenAuditItem(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %BigInt) As %SYS.Audit

Open an Audit Log item, given its ID information (UTC date, system ID, and audit index).
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.

%OnOpen

Method %OnOpen() As %Status [ Internal, Private, ServerOnly = 1 ]

Parameters​

SOURCECONTROL​

Properties​

AuditIndex​

Authentication​

ClientExecutableName​

ClientIPAddress​

CSPSessionID​

Description​

Event​

EventData​

EventSource​

EventType​

GroupName​

JobId​

JobNumber​

Namespace​

OSUsername​

Pid​

Roles​

RoutineSpec​

StartupClientIPAddress​

Status​

SystemID​

UserInfo​

Username​

UTCTimeStamp​

Methods​

DescriptionLogicalToDisplay​

EventDataLogicalToDisplay​

NamespaceLogicalToDisplay​

ApplyAuditHeader​

CheckHeader​

Convert​

ConvertLocalHToUTC​

ConvertUTCHToLocal​

ConvertUTCToLocal​

Copy​

CreateGlobals​

Delete​

Erase​

Exists​

Export​

Get​

GetAuditDatabase​

GetProperties​

Import​

Modify​

Stop​

UpdateAuditFile​

WriteToAuditFile​

ListExecute​

ListFetch​

ListClose​

ListByUserExecute​

CheckAuthentication​

ListByUserFetch​

ListByUserClose​

ListByEventExecute​

ListByEventFetch​

ListByEventClose​

ListByPidExecute​

ListByPidFetch​

ListByPidClose​

OpenAuditItem​

%OnOpen​