How To Identify the Event Type of an Audit Record

Reference Guide › Audit Log Records › How To Identify the Event Type of an Audit Record

How To Identify the Event Type of an Audit Record

To understand the content of an audit record, you must first identify the event type of the audit record. This is because the data the record contains depends on the type of event that triggered the creation of the audit record.

Note: The order, number, and content of columns that you see for an audit log record depend on the method you choose to view the audit log. Some fields do not display in CA ControlMinder Endpoint Management, seaudit output, or the detailed seaudit output. Also, if you use the seaudit utility, the options you specify may also determine the number, order, and content of the columns.

To identify the event type of an audit record:

If you are viewing audit records in CA ControlMinder Endpoint Management, the event type the audit record belongs to displays in the first column of the Audit Records Result pane.
To display more information about the audit record, click the link audit event type in the first column.
If you are viewing audit records in seaudit output, you need to display the detailed output (-detail option) to see the event type.

Once you identify the event type, you can go on to interpret the rest of the message detail.

Example: Audit Records in CA ControlMinder Endpoint Management

The following image shows you how CA ControlMinder Endpoint Management presents audit events:

The Audit Records Result pane displays audit records that match the display filter criteria

Example: Audit Records in Default seaudit Output

The following snippet of a seaudit output shows you how the seaudit utility presents audit events by default:

19 Dec 2008 16:46:47 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:46:52 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:46:53 P LOGIN        TM123VM-AC\Administrator   55  2 TM123VM-AC           C:\WINDOWS\system32\lsass.exe
19 Dec 2008 16:46:57 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:47:02 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:47:07 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:47:12 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TM123VM-AC
19 Dec 2008 16:47:16 S UPDATE       GROUP      TM123VM-AC\Administrator  336  0 test       TM123VM-AC egtest audit-
19 Dec 2008 18:28:18 P LOGIN        TM123VM-AC\Administrator   55 10 TM123VM-AC           selang
19 Dec 2008 18:28:18 S UPDATE       TERMINAL   TM123VM-AC\Administrator  305  0 TM123VM-AC-SC1.ca.com TM123VM-AC er terminal TM123VM-AC-SC1.ca.com

The detailed seaudit output for the first message above is as follows:

19 Dec 2008 16:46:47 P WINSERVICE   TM123VM-AC\Administrator Read     1059  2 VMTools              C:\WINDOWS\system32\services.exe TW852VM-AC
Event type: Resource access
Status: Permitted
Class: WINSERVICE
Resource: VMTools
Access: Read
User name: TM123VM-AC\Administrator
User Logon Session ID: 00000000:05647d29
Terminal: TM123VM-AC
Program: C:\WINDOWS\system32\services.exe
Date: 19 Dec 2008
Time: 16:46
Details: Default record universal access check
Audit flags: AC database user