%SYS.Audit
persistent class %SYS.Audit extends %Library.Persistent, %SYSTEM.Help, %XML.Adaptor
SQL Table Name: %SYS.Audit
The auditing system allows the user to capture events which occur on the system, and log them to an audit file.When running SQL queries on the audit log, it is helpful to use the UTCTimestamp in the WHERE clause to speed up the query, and minimize the amount of data which is returned. For example:
SELECT SystemID,AuditIndex,UTCTimeStamp,EventSource,EventType,Event,Pid,CSPSessionID,Username,Description
FROM %SYS.Audit
WHERE UTCTimeStamp BETWEEN :UTCBeginDateTime AND :UTCEndDateTime
ORDER BY UTCTimeStamp DESC, SystemID DESC, AuditIndex DESC
The UTCTimeStamp is the UTC time in ODBC format. To convert a local $H time to this format use the following:
s x=##Class(%SYS.Audit).ConvertLocalHToUTC($H)
The UTCTimeStamp which is returned as part of the record, can be converted to local time with the following:
s x=##Class(%SYS.Audit).ConvertUTCToLocal(UTCTimeStamp)
Access to all the audit class methods require the %Admin_Secure:"Use" privilege.
If you wish to modify an audit record, use the Modify() class method. If you wish to modify it using direct object you must first use the OpenAuditRecord() class method and then the %Save() method. Note that saving the object in this way also requires that the user have write access to the Audit database resource.
Property Inventory
- AuditIndex
- Authentication
- CSPSessionID
- ClientExecutableName
- ClientIPAddress
- Description
- Event
- EventData
- EventSource
- EventType
- GroupName
- JobId
- JobNumber
- Namespace
- OSUsername
- Pid
- Roles
- RoutineSpec
- StartupClientIPAddress
- Status
- SystemID
- UTCTimeStamp
- UserInfo
- Username
Method Inventory
- Convert()
- ConvertLocalHToUTC()
- ConvertUTCHToLocal()
- Copy()
- Delete()
- Erase()
- Exists()
- Export()
- Get()
- Import()
- Modify()
- OpenAuditItem()
Properties
property AuditIndex as %BigInt [ Required ];
Property methods: AuditIndexDisplayToLogical(), AuditIndexGet(), AuditIndexGetStored(), AuditIndexIsValid(), AuditIndexLogicalToDisplay(), AuditIndexNormalize(), AuditIndexSet(), AuditIndexXSDToLogical()
property Authentication as Security.Datatype.Authentication;
Authentication method process used.
Property methods: AuthenticationDisplayToLogical(), AuthenticationGet(), AuthenticationGetStored(), AuthenticationIsValid(), AuthenticationLogicalToDisplay(), AuthenticationLogicalToOdbc(), AuthenticationNormalize(), AuthenticationSet(), AuthenticationXSDToLogical()
property CSPSessionID as %String (MAXLEN = 16);
Session ID of the process if a CSP process.
Property methods: CSPSessionIDDisplayToLogical(), CSPSessionIDGet(), CSPSessionIDGetStored(), CSPSessionIDIsValid(), CSPSessionIDLogicalToDisplay(), CSPSessionIDLogicalToOdbc(), CSPSessionIDNormalize(), CSPSessionIDSet()
property ClientExecutableName as %String (MAXLEN = 128);
Executable name on the client machine.
Property methods: ClientExecutableNameDisplayToLogical(), ClientExecutableNameGet(), ClientExecutableNameGetStored(), ClientExecutableNameIsValid(), ClientExecutableNameLogicalToDisplay(), ClientExecutableNameLogicalToOdbc(), ClientExecutableNameNormalize(), ClientExecutableNameSet()
property ClientIPAddress as %String (MAXLEN = 128);
IP address of the client, as passed from client. This corresponds to the ClientIPAddress in %SYS.ProcessQuery.
Property methods: ClientIPAddressDisplayToLogical(), ClientIPAddressGet(), ClientIPAddressGetStored(), ClientIPAddressIsValid(), ClientIPAddressLogicalToDisplay(), ClientIPAddressLogicalToOdbc(), ClientIPAddressNormalize(), ClientIPAddressSet()
property Description as %SYS.AuditString (MAXLEN = 128);
Description of the audit event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
Property methods: DescriptionDisplayToLogical(), DescriptionGet(), DescriptionGetStored(), DescriptionIsValid(), DescriptionLogicalToOdbc(), DescriptionLogicalToXSD(), DescriptionNormalize(), DescriptionSet()
property Event as %String (MAXLEN = 64);
Name of the audit event.
Property methods: EventDisplayToLogical(), EventGet(), EventGetStored(), EventIsValid(), EventLogicalToDisplay(), EventLogicalToOdbc(), EventNormalize(), EventSet()
property EventData as %SYS.AuditString (MAXLEN = 16384);
EventData -- arbitrary data associated with this event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
Property methods: EventDataDisplayToLogical(), EventDataGet(), EventDataGetStored(), EventDataIsValid(), EventDataLogicalToOdbc(), EventDataLogicalToXSD(), EventDataNormalize(), EventDataSet()
property EventSource as %String (MAXLEN = 64);
Event Source (system events all have "%System" here).
Property methods: EventSourceDisplayToLogical(), EventSourceGet(), EventSourceGetStored(), EventSourceIsValid(), EventSourceLogicalToDisplay(), EventSourceLogicalToOdbc(), EventSourceNormalize(), EventSourceSet()
property EventType as %String (MAXLEN = 64);
EventType.
Property methods: EventTypeDisplayToLogical(), EventTypeGet(), EventTypeGetStored(), EventTypeIsValid(), EventTypeLogicalToDisplay(), EventTypeLogicalToOdbc(), EventTypeNormalize(), EventTypeSet()
property GroupName as %String (MAXLEN = 64);
Group of the audit event.
Property methods: GroupNameDisplayToLogical(), GroupNameGet(), GroupNameGetStored(), GroupNameIsValid(), GroupNameLogicalToDisplay(), GroupNameLogicalToOdbc(), GroupNameNormalize(), GroupNameSet()
property JobId as %String (MAXLEN = 16);
Job ID
Property methods: JobIdDisplayToLogical(), JobIdGet(), JobIdGetStored(), JobIdIsValid(), JobIdLogicalToDisplay(), JobIdLogicalToOdbc(), JobIdNormalize(), JobIdSet()
property JobNumber as %Integer [ Calculated ];
Job Number
Property methods: JobNumberCompute(), JobNumberDisplayToLogical(), JobNumberGet(), JobNumberIsValid(), JobNumberLogicalToDisplay(), JobNumberNormalize(), JobNumberSQLCompute(), JobNumberXSDToLogical()
property Namespace as %String (MAXLEN = 128);
Namespace process was executing in.
Property methods: NamespaceDisplayToLogical(), NamespaceGet(), NamespaceGetStored(), NamespaceIsValid(), NamespaceLogicalToOdbc(), NamespaceNormalize(), NamespaceSet()
property OSUsername as %String (MAXLEN = 16);
Operating system username of process.
Username given to the process by the operating system when the process is created. When displayed, it is truncated to 16 characters. Note that the real O/S username is only returned when connecting to UNIX or VMS systems; For Windows, it will return the O/S username for a console process, but for telnet it will return the $USERNAME of the process. For client connections, it contains the O/S username of the client.
Username given to the process by the operating system when the process is created. When displayed, it is truncated to 16 characters. Note that the real O/S username is only returned when connecting to UNIX or VMS systems; For Windows, it will return the O/S username for a console process, but for telnet it will return the $USERNAME of the process. For client connections, it contains the O/S username of the client.
Property methods: OSUsernameDisplayToLogical(), OSUsernameGet(), OSUsernameGetStored(), OSUsernameIsValid(), OSUsernameLogicalToDisplay(), OSUsernameLogicalToOdbc(), OSUsernameNormalize(), OSUsernameSet()
property Pid as %String (MAXLEN = 16);
Process ID.
Note that on VMS system, the Hex pid is stored internally as a decimal value, i.e. $zh(pid).
Note that on VMS system, the Hex pid is stored internally as a decimal value, i.e. $zh(pid).
Property methods: PidDisplayToLogical(), PidGet(), PidGetStored(), PidIsValid(), PidLogicalToDisplay(), PidLogicalToOdbc(), PidNormalize(), PidSet()
property Roles as %String (MAXLEN = 2048);
$ROLES value that was active when the audit event occurred.
Property methods: RolesDisplayToLogical(), RolesGet(), RolesGetStored(), RolesIsValid(), RolesLogicalToDisplay(), RolesLogicalToOdbc(), RolesNormalize(), RolesSet()
property RoutineSpec as %String (MAXLEN = 512);
Routine running including DB and System.
Property methods: RoutineSpecDisplayToLogical(), RoutineSpecGet(), RoutineSpecGetStored(), RoutineSpecIsValid(), RoutineSpecLogicalToDisplay(), RoutineSpecLogicalToOdbc(), RoutineSpecNormalize(), RoutineSpecSet()
property StartupClientIPAddress as %String (MAXLEN = 128);
IP address of the client, as detected on the TCP channel by the server process.
This corresponds to the StartupClientIPAddress in %SYS.ProcessQuery.
Property methods: StartupClientIPAddressDisplayToLogical(), StartupClientIPAddressGet(), StartupClientIPAddressGetStored(), StartupClientIPAddressIsValid(), StartupClientIPAddressLogicalToDisplay(), StartupClientIPAddressLogicalToOdbc(), StartupClientIPAddressNormalize(), StartupClientIPAddressSet()
property Status as %Status [ InitialExpression = 1 ];
Any %Status variable passed into the call.
Property methods: StatusGet(), StatusGetStored(), StatusIsValid(), StatusLogicalToOdbc(), StatusLogicalToXSD(), StatusSet(), StatusXSDToLogical()
property SystemID as %String (MAXLEN = 128) [ Required ];
SystemName:ConfigurationName of where the event was generated.
This is useful when merging separate audit streams from different systems.
This is useful when merging separate audit streams from different systems.
Property methods: SystemIDDisplayToLogical(), SystemIDGet(), SystemIDGetStored(), SystemIDIsValid(), SystemIDLogicalToDisplay(), SystemIDLogicalToOdbc(), SystemIDNormalize(), SystemIDSet()
property UTCTimeStamp as %String (MAXLEN = 64) [ Required ];
UTC $ZTIMESTAMP value when the audit event occurred.
Property methods: UTCTimeStampDisplayToLogical(), UTCTimeStampGet(), UTCTimeStampGetStored(), UTCTimeStampIsValid(), UTCTimeStampLogicalToDisplay(), UTCTimeStampLogicalToOdbc(), UTCTimeStampNormalize(), UTCTimeStampSet()
property UserInfo as %String (MAXLEN = 64);
User info field
Property methods: UserInfoDisplayToLogical(), UserInfoGet(), UserInfoGetStored(), UserInfoIsValid(), UserInfoLogicalToDisplay(), UserInfoLogicalToOdbc(), UserInfoNormalize(), UserInfoSet()
property Username as %SYS.AuditString (MAXLEN = 160);
Username from $Username that was active when audit event occurred.
Property methods: UsernameDisplayToLogical(), UsernameGet(), UsernameGetStored(), UsernameIsValid(), UsernameLogicalToDisplay(), UsernameLogicalToOdbc(), UsernameLogicalToXSD(), UsernameNormalize(), UsernameSet()
Methods
Converts Audit records to the current IRIS format.
This is called before any of the Audit methods runs and also during an upgrade to make sure that the audit global is in the current format.
It will also check if there are any audit records in Cache' format (stored in the ^CacheAuditD global) and merge those globals into the current IRIS audit global.
Note that journaling is turned off for the process during the conversion.
Parameters:
Count (byref) - Returned count of number of audit records converted.
0 - Version already matches.
Requires %Admin_Secure:"Use" privilege.
This is called before any of the Audit methods runs and also during an upgrade to make sure that the audit global is in the current format.
It will also check if there are any audit records in Cache' format (stored in the ^CacheAuditD global) and merge those globals into the current IRIS audit global.
Note that journaling is turned off for the process during the conversion.
Parameters:
Count (byref) - Returned count of number of audit records converted.
0 - Version already matches.
Requires %Admin_Secure:"Use" privilege.
Convert the local $H time to an ODBC format string in UTC.
When using SQL, use this function to convert a local time in $h to UTC time to use in your SELECT statement.
When using SQL, use this function to convert a local time in $h to UTC time to use in your SELECT statement.
Convert a UTCTimeStamp in ODBC format to Local Time in ODBC format.
classmethod Copy(ByRef NumCopied As %Integer, Namespace As %String, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Copy matching audit records to a defined namespace.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Namespace - Valid namespace to copy audit records to
Flags - Bit 0 - Delete audit record after copy
Return values:
NumCopied (byref) - Number of audit records copied
Requires %Admin_Secure:"Use" privilege.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Namespace - Valid namespace to copy audit records to
Flags - Bit 0 - Delete audit record after copy
Return values:
NumCopied (byref) - Number of audit records copied
Requires %Admin_Secure:"Use" privilege.
classmethod Delete(ByRef NumDeleted As %Integer, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Delete matching audit records.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to delete, use "" to begin with the first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to delete. Audit records will be deleted up through, but not including, this value. Use "" to delete through last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Return values:
NumDeleted (byref) - Number of audit records deleted
Requires %Admin_Secure:"Use" privilege.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to delete, use "" to begin with the first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to delete. Audit records will be deleted up through, but not including, this value. Use "" to delete through last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Return values:
NumDeleted (byref) - Number of audit records deleted
Requires %Admin_Secure:"Use" privilege.
Erase the audit file.
Flags: 0 - Erase all contents
1 - Erase and create new audit file
2 - Erase and create new audit file, treat as encryption state changed
Note that bit 1 infers that ALL data in the audit database will be deleted, not just Audit data
Requires %Admin_Secure:"Use" privilege.
Flags: 0 - Erase all contents
1 - Erase and create new audit file
2 - Erase and create new audit file, treat as encryption state changed
Note that bit 1 infers that ALL data in the audit database will be deleted, not just Audit data
Requires %Admin_Secure:"Use" privilege.
classmethod Exists(UTCTimeStamp As %String = "", SystemID As %String = "", AuditIndex As %Integer = 0, ByRef Audit As %ObjectHandle, ByRef Status As %Status) as %Boolean
Audit record exists.
This method checks for the existence of an Audit record in the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
If Value of the method = 0 (Audit record does not exist, or some error occured)
Audit = Null
Status = Audit "x" does not exist, or other error message
If Value of the method = 1 (Audit record exists)
Audit = Object handle to Audit record
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.
This method checks for the existence of an Audit record in the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
If Value of the method = 0 (Audit record does not exist, or some error occured)
Audit = Null
Status = Audit "x" does not exist, or other error message
If Value of the method = 1 (Audit record exists)
Audit = Object handle to Audit record
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.
classmethod Export(FileName As %String, ByRef NumExported As %Integer, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Export matching records to an xml file.
Parameters:
FileName - Valid filename to copy audit records to
Flags - Bit 0 - Delete audit record after export
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Username - Comma separated list of user names to copy, "*" = All
Return values:
NumCopied (byref) - Number of audit records exported.
Note: Two audit record will get written out when this is called in case the first one is deleted as part of the export operation.
Requires %Admin_Secure:"Use" privilege.
Parameters:
FileName - Valid filename to copy audit records to
Flags - Bit 0 - Delete audit record after export
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Username - Comma separated list of user names to copy, "*" = All
Return values:
NumCopied (byref) - Number of audit records exported.
Note: Two audit record will get written out when this is called in case the first one is deleted as part of the export operation.
Requires %Admin_Secure:"Use" privilege.
classmethod Get(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) as %Status
Get the Audit properties.
Parameters:
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
Properties - Array of properties
Properties("AuditIndex")
Properties("ClientExecutableName")
Properties("ClientIPAddress")
Properties("CSPSessionID")
Properties("Description")
Properties("Event")
Properties("EventData")
Properties("EventSource")
Properties("EventType")
Properties("JobId")
Properties("Namespace")
Properties("Pid")
Properties("Roles")
Properties("RoutineSpec")
Properties("StartupClientIPAddress")
Properties("SystemID")
Properties("Username")
Properties("UTCTimeStamp")
Requires %Admin_Secure:"Use" privilege.
Parameters:
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
Properties - Array of properties
Properties("AuditIndex")
Properties("ClientExecutableName")
Properties("ClientIPAddress")
Properties("CSPSessionID")
Properties("Description")
Properties("Event")
Properties("EventData")
Properties("EventSource")
Properties("EventType")
Properties("JobId")
Properties("Namespace")
Properties("Pid")
Properties("Roles")
Properties("RoutineSpec")
Properties("StartupClientIPAddress")
Properties("SystemID")
Properties("Username")
Properties("UTCTimeStamp")
Requires %Admin_Secure:"Use" privilege.
classmethod Import(FileName As %String, ByRef NumImported As %Integer, Flags As %Integer = 0) as %Status
Import audit records from an xml file.
Parameters:
FileName - Valid filename to import audit records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Audit records may not be imported into the %SYS namespace
Requires %Admin_Secure:"Use" privilege.
Parameters:
FileName - Valid filename to import audit records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Audit records may not be imported into the %SYS namespace
Requires %Admin_Secure:"Use" privilege.
classmethod Modify(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) as %Status
Modify an Audit record's properties.
Modifies an Audit records properties from the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, the value is not modified.
Requires %Admin_Secure:"Use" privilege.
Modifies an Audit records properties from the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, the value is not modified.
Requires %Admin_Secure:"Use" privilege.
classmethod OpenAuditItem(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %BigInt) as %SYS.Audit
Open an Audit Log item, given its ID information (UTC date, system ID, and audit index).
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.
Queries
query List(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication, Flags As %Integer)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String, ClientExecutableName As %String, ClientIPAddress As %String, EventData As %String, Namespace As %String, Roles As %String, RoutineSpec As %String, UserInfo As %String, JobId As %String, Status As %String, OSUsername As %String, StartupClientIPAddress As %String
List all audit records, brief display, reverse order.
Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Pids - Comma separated list of Pids,VMS systems passed in Hex
Groups - Comma separated list of Groups (currently unused)
Authentication - Comma separated list of authentication types
Flags - 0=Descending (most recent first) 1=Ascending (earliest first)
Requires %Admin_Secure:"Use" privilege.
Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Pids - Comma separated list of Pids,VMS systems passed in Hex
Groups - Comma separated list of Groups (currently unused)
Authentication - Comma separated list of authentication types
Flags - 0=Descending (most recent first) 1=Ascending (earliest first)
Requires %Admin_Secure:"Use" privilege.
query ListByEvent(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String, ClientExecutableName As %String, ClientIPAddress As %String, EventData As %String, Namespace As %String, Roles As %String, RoutineSpec As %String, UserInfo As %String, JobId As %String, Status As %String, OSUsername As %String, StartupClientIPAddress As %String
List audit records ordered by Event Source, Event Type, and Event.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
query ListByPid(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String, ClientExecutableName As %String, ClientIPAddress As %String, EventData As %String, Namespace As %String, Roles As %String, RoutineSpec As %String, UserInfo As %String, JobId As %String, Status As %String, OSUsername As %String, StartupClientIPAddress As %String
List audit records ordered by Pid.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
query ListByUser(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String, ClientExecutableName As %String, ClientIPAddress As %String, EventData As %String, Namespace As %String, Roles As %String, RoutineSpec As %String, UserInfo As %String, JobId As %String, Status As %String, OSUsername As %String, StartupClientIPAddress As %String
List audit records ordered by Username.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
Inherited Members
Inherited Methods
- %%CLASSNAMELogicalToStorage()
- %%CLASSNAMEStorageToLogical()
- %AddToSaveSet()
- %AddToSyncSet()
- %BMEBuilt()
- %BuildIndicesAsync()
- %BuildIndicesAsyncResponse()
- %CheckConstraints()
- %CheckConstraintsForExtent()
- %ClassIsLatestVersion()
- %ClassName()
- %ComposeOid()
- %ConstructClone()
- %Delete()
- %DeleteExtent()
- %DeleteId()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Exists()
- %ExistsId()
- %Extends()
- %GUID()
- %GUIDSet()
- %GetLock()
- %GetParameter()
- %GetSwizzleObject()
- %Id()
- %InsertBatch()
- %IsA()
- %IsModified()
- %IsNull()
- %KillExtent()
- %KillExtentData()
- %LoadFromMemory()
- %LockExtent()
- %LockId()
- %New()
- %NormalizeObject()
- %ObjectIsNull()
- %ObjectModified()
- %Oid()
- %OnBeforeAddToSync()
- %OnDeleteFinally()
- %OnDetermineClass()
- %OnOpenFinally()
- %OnSaveFinally()
- %Open()
- %OpenId()
- %OriginalNamespace()
- %PackageName()
- %PhysicalAddress()
- %PurgeIndices()
- %Reload()
- %RemoveFromSaveSet()
- %ResolveConcurrencyConflict()
- %RollBack()
- %Save()
- %SaveDirect()
- %SaveIndices()
- %SerializeObject()
- %SetModified()
- %SortBegin()
- %SortEnd()
- %SyncObjectIn()
- %SyncTransport()
- %UnlockExtent()
- %UnlockId()
- %ValidateIndices()
- %ValidateObject()
- %ValidateTable()
- Help()
- XMLDTD()
- XMLExport()
- XMLExportToStream()
- XMLExportToString()
- XMLNew()
- XMLSchema()
- XMLSchemaNamespace()
- XMLSchemaType()
Storage
Storage Model: Storage (%SYS.Audit)
^IRIS.AuditD(ID) |
= | AuditIndex
ClientExecutableName
ClientIPAddress
Description
Event
EventData
EventSource
EventType
Namespace
Pid
Roles
RoutineSpec
SystemID
Username
UTCTimeStamp
CSPSessionID
UserInfo
JobId
GroupName
Status
OSUsername
Authentication
StartupClientIPAddress
%%CLASSNAME
|