Class Reference
IRIS for UNIX 2019.3
InterSystems: The power behind what matters   
Documentation  Search
  [%SYS] >  [%SYS] >  [Audit]
Private  Storage   

persistent class %SYS.Audit extends %Persistent, %SYSTEM.Help, %XML.Adaptor

The auditing system allows the user to capture events which occur on the system, and log them to an audit file.

When running SQL queries on the audit log, it is helpful to use the UTCTimestamp in the WHERE clause to speed up the query, and minimize the amount of data which is returned. For example:

SELECT SystemID,AuditIndex,UTCTimeStamp,EventSource,EventType,Event,Pid,CSPSessionID,Username,Description
FROM %SYS.Audit
WHERE UTCTimeStamp BETWEEN :UTCBeginDateTime AND :UTCEndDateTime
ORDER BY UTCTimeStamp DESC, SystemID DESC, AuditIndex DESC

The UTCTimeStamp is the UTC time in ODBC format. To convert a local $H time to this format use the following:

s x=##Class(%SYS.Audit).ConvertLocalHToUTC($H)
The UTCTimeStamp which is returned as part of the record, can be converted to local time with the following:

s x=##Class(%SYS.Audit).ConvertUTCToLocal(UTCTimeStamp)

Access to all the audit class methods require the %Admin_Secure:"Use" privilege.

If you wish to modify an audit record, use the Modify() class method. If you wish to modify it using direct object you must first use the OpenAuditRecord() class method and then the %Save() method. Note that saving the object in this way also requires that the user have write access to the Audit database resource.

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
23 42 4


Summary

Properties
AuditIndex Authentication CSPSessionID ClientExecutableName
ClientIPAddress Description Event EventData
EventSource EventType GroupName JobId
JobNumber Namespace OSUsername Pid
Roles RoutineSpec Status SystemID
UTCTimeStamp UserInfo Username

Methods
%AddToSaveSet %AddToSyncSet %BMEBuilt %BuildIndicesAsync
%BuildIndicesAsyncResponse %CheckConstraints %CheckConstraintsForExtent %ClassIsLatestVersion
%ClassName %ComposeOid %ConstructClone %Delete
%DeleteExtent %DeleteId %DispatchClassMethod %DispatchGetModified
%DispatchGetProperty %DispatchMethod %DispatchSetModified %DispatchSetMultidimProperty
%DispatchSetProperty %Exists %ExistsId %Extends
%GUID %GUIDSet %GetLock %GetParameter
%GetSwizzleObject %Id %InsertBatch %IsA
%IsModified %IsNull %KillExtent %KillExtentData
%LoadFromMemory %LockExtent %LockId %New
%NormalizeObject %ObjectIsNull %ObjectModified %Oid
%OnBeforeAddToSync %OnDetermineClass %Open %OpenId
%OriginalNamespace %PackageName %PhysicalAddress %PurgeIndices
%Reload %RemoveFromSaveSet %ResolveConcurrencyConflict %RollBack
%Save %SaveDirect %SaveIndices %SerializeObject
%SetModified %SortBegin %SortEnd %SyncObjectIn
%SyncTransport %UnlockExtent %UnlockId %ValidateIndices
%ValidateObject Convert ConvertLocalHToUTC ConvertUTCHToLocal
Copy Delete Erase Exists
Export Get Help Import
Modify OpenAuditItem XMLDTD XMLExport
XMLExportToStream XMLExportToString XMLNew XMLSchema
XMLSchemaNamespace XMLSchemaType


Properties

• property AuditIndex as %BigInt;
• property Authentication as Security.Datatype.Authentication;
Authentication method process used.
• property CSPSessionID as %String(MAXLEN=16);
Session ID of the process if a CSP process.
• property ClientExecutableName as %String(MAXLEN=128);
Executable name on the client machine.
• property ClientIPAddress as %String(MAXLEN=128);
IP address of the client.
• property Description as %SYS.AuditString(MAXLEN=128);
Description of the audit event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
• property Event as %String(MAXLEN=64);
Name of the audit event.
• property EventData as %SYS.AuditString(MAXLEN=16384);
EventData -- arbitrary data associated with this event.
Control characters less than $c(32) are not allowed in this data except for CR,LF, and tab.
• property EventSource as %String(MAXLEN=64);
Event Source (system events all have "%System" here).
• property EventType as %String(MAXLEN=64);
EventType.
• property GroupName as %String(MAXLEN=64);
Group of the audit event.
• property JobId as %String(MAXLEN=16);
Job ID
• property JobNumber as %Integer [ Calculated,SqlFieldName = JobNumber ];
Job Number
• property Namespace as %String(MAXLEN=128);
Namespace process was executing in.
• property OSUsername as %String(MAXLEN=16);
Operating system username of process.
Username given to the process by the operating system when the process is created. When displayed, it is truncated to 16 characters. Note that the real O/S username is only returned when connecting to UNIX or VMS systems; For Windows, it will return the O/S username for a console process, but for telnet it will return the $USERNAME of the process. For client connections, it contains the O/S username of the client.
• property Pid as %String(MAXLEN=16);
Process ID.
Note that on VMS system, the Hex pid is stored internally as a decimal value, i.e. $zh(pid).
• property Roles as %String(MAXLEN=512);
$ROLES value that was active when the audit event occurred.
• property RoutineSpec as %String(MAXLEN=128);
Routine running including DB and System.
• property Status as %Status [ InitialExpression = 1 ];
Any %Status variable passed into the call.
• property SystemID as %String(MAXLEN=128);
SystemName:ConfigurationName of where the event was generated.
This is useful when merging separate audit streams from different systems.
• property UTCTimeStamp as %String(MAXLEN=64);
UTC $ZTIMESTAMP value when the audit event occurred.
• property UserInfo as %String(MAXLEN=64);
User info field
• property Username as %SYS.AuditString(MAXLEN=128);
Username from $Username that was active when audit event occurred.

Methods

• classmethod Convert(ByRef Count As %Integer) as %Status
Converts Audit records to the current IRIS format.
This is called before any of the Audit methods runs and also during an upgrade to make sure that the audit global is in the current format.
It will also check if there are any audit records in Cache' format (stored in the ^CacheAuditD global) and merge those globals into the current IRIS audit global.
Note that journaling is turned off for the process during the conversion.

Parameters:
Count (byref) - Returned count of number of audit records converted.
0 - Version already matches.
Requires %Admin_Secure:"Use" privilege.
• classmethod ConvertLocalHToUTC(LocalH As %String) as %String
Convert the local $H time to an ODBC format string in UTC.
When using SQL, use this function to convert a local time in $h to UTC time to use in your SELECT statement.
• classmethod ConvertUTCHToLocal(UTC As %String) as %String
Convert a UTCTimeStamp in ODBC format to Local Time in ODBC format.
• classmethod Copy(ByRef NumCopied As %Integer, Namespace As %String, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Copy matching audit records to a defined namespace.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Namespace - Valid namespace to copy audit records to
Flags - Bit 0 - Delete audit record after copy
Return values:
NumCopied (byref) - Number of audit records copied
Requires %Admin_Secure:"Use" privilege.
• classmethod Delete(ByRef NumDeleted As %Integer, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Delete matching audit records.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record to delete, use "" to begin with the first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to delete. Audit records will be deleted up through, but not including, this value. Use "" to delete through last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Return values:
NumDeleted (byref) - Number of audit records deleted
Requires %Admin_Secure:"Use" privilege.
• classmethod Erase(Flags As %Integer = 0) as %Status
Erase the audit file.
Flags: 0 - Erase all contents
1 - Erase and create new audit file
2 - Erase and create new audit file, treat as encryption state changed
Note that bit 1 infers that ALL data in the audit database will be deleted, not just Audit data
Requires %Admin_Secure:"Use" privilege.
• classmethod Exists(UTCTimeStamp As %String = "", SystemID As %String = "", AuditIndex As %Integer = 0, ByRef Audit As %ObjectHandle, ByRef Status As %Status) as %Boolean
Audit record exists.
This method checks for the existence of an Audit record in the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
If Value of the method = 0 (Audit record does not exist, or some error occured)
Audit = Null
Status = Audit "x" does not exist, or other error message

If Value of the method = 1 (Audit record exists)
Audit = Object handle to Audit record
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.
• classmethod Export(FileName As %String, ByRef NumExported As %Integer, Flags As %Integer = 0, BeginDateTime As %String = "", EndDateTime As %String = "", EventSources As %String = "*", EventTypes As %String = "*", Events As %String = "*", Usernames As %String = "*", SystemIDs As %String = "*") as %Status
Export matching records to an xml file.
Parameters:
FileName - Valid filename to copy audit records to
Flags - Bit 0 - Delete audit record after export
BeginDateTime - $zdatetime($H,3) value of the first audit record to copy, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record to copy, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Username - Comma separated list of user names to copy, "*" = All
Return values:
NumCopied (byref) - Number of audit records exported.
Note: Two audit record will get written out when this is called in case the first one is deleted as part of the export operation.
Requires %Admin_Secure:"Use" privilege.
• classmethod Get(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) as %Status
Get the Audit properties.
Parameters:
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
Return values:
Properties - Array of properties
Properties("AuditIndex")
Properties("ClientExecutableName")
Properties("ClientIPAddress")
Properties("CSPSessionID")
Properties("Description")
Properties("Event")
Properties("EventData")
Properties("EventSource")
Properties("EventType")
Properties("JobId")
Properties("Namespace")
Properties("Pid")
Properties("Roles")
Properties("RoutineSpec")
Properties("SystemID")
Properties("Username")
Properties("UTCTimeStamp")
Requires %Admin_Secure:"Use" privilege.
• classmethod Import(FileName As %String, ByRef NumImported As %Integer, Flags As %Integer = 0) as %Status
Import audit records from an xml file.
Parameters:
FileName - Valid filename to import audit records from
NumImported (byref) - Returns number of records imported
Flags - Control import
Bit 0 - Do not import records, just return count
Note: On failure, no records will be imported
Audit records may not be imported into the %SYS namespace
Requires %Admin_Secure:"Use" privilege.
• classmethod Modify(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %Integer, ByRef Properties As %String) as %Status
Modify an Audit record's properties.
Modifies an Audit records properties from the security database.
Parameters:
UTCTimeStamp - UTC timestamp of the audit record
SystemID - System ID of the audit event, usually NODE:CFGNAME
AuditIndex - Index number of the audit record
See the Get() method for a description of the Properties parameter.
If a specific property is not passed in the properties array, the value is not modified.
Requires %Admin_Secure:"Use" privilege.
• classmethod OpenAuditItem(UTCTimeStamp As %String, SystemID As %String, AuditIndex As %BigInt) as %SYS.Audit
Open an Audit Log item, given its ID information (UTC date, system ID, and audit index).
Requires %Admin_Secure:"Use" privilege.
If you wish to modify the returned object, use the Modify() method.

Queries

• query List(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication, Flags As %Integer)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String
List all audit records, brief display, reverse order.
Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Pids - Comma separated list of Pids,VMS systems passed in Hex
Groups - Comma separated list of Groups (currently unused)
Authentication - Comma separated list of authentication types
Flags - 0=Descending (most recent first) 1=Ascending (earliest first)
Requires %Admin_Secure:"Use" privilege.
• query ListByEvent(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String
List audit records ordered by Event Source, Event Type, and Event.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
• query ListByPid(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String
List audit records ordered by Pid.
Parameters:
BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.
• query ListByUser(BeginDateTime As %String, EndDateTime As %String, EventSources As %String, EventTypes As %String, Events As %String, Usernames As %String, SystemIDs As %String, Pids As %String, Groups As %String, Authentications As Security.Datatype.Authentication)
Selects SystemID As %String, AuditIndex As %String, TimeStamp As %String, EventSource As %String, EventType As %String, Event As %String, Pid As %String, SessionID As %String, Username As %String, Description As %String, UTCTimeStamp As %String, Group As %String, JobNumber As %String, Authentication As %String
List audit records ordered by Username. Parameters: BeginDateTime - $zdatetime($H,3) value of the first audit record, "" = first record
EndDateTime - $zdatetime($H,3) value of the Last audit record, "" = Last record
The following parameters may be specified as a comma separated list as follows:
"*" - All records match
"String,String1" - Any records matching one of these elements
"String*" - Any record starting with "String"
"String,String1*,String2" - Any record matching one of these elements, or starting with "String1"
Note that these are all case insensitive matches
EventSources - Comma separated list of valid event sources
EventTypes - Comma separated list of valid event types
Events - Comma separated list of event names
Usernames - Comma separated list of user names
SystemIDs - Comma separated list of System:Config names
Requires %Admin_Secure:"Use" privilege.


Copyright (c) 2019 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.