About System Audit Events

System audit events are predefined events that are available for auditing by default. General information about them appears in the table on the System Audit Events page (System Administration > Security > Auditing > Configure System Events), where the columns are:

Event Name — The Event Source (which is %System or %Ensemble), Event Type, and Event proper, all together and concatenated with slashes (“/”).
Enabled — Whether or not the event is enabled (turned on) for auditing.
Total — The number of events of this type that have occurred since the last startup of Caché.
Written — The number of events of this type that have been written to the audit log since the last startup of Caché. This number may differ from the total occurrences.
Reset — Allows you to clear the audit log for this event reset its counter to zero. For more information on counters, see “About Counters.”
Change Status — Allows you to enable or disable the event. For more information on these actions, see the “Enabling or Disabling an Audit Event” section.

They monitor events within Caché or Ensemble and are distinguishable by their Event Source value of %System or %Ensemble:

System Audit Events

Event Source	Event Type and Event	Occurs When	Event Data Contents	Default Status
%Ensemble	%Message ViewContents	A user views the contents of a message in the Message Viewer.	Metadata about the message. Only on Ensemble instances.	On
%Ensemble	%Production ModifyConfiguration	A user modifies the configuration of a production.	A summary of the change. Only on Ensemble instances.	On
%Ensemble	%Production StartStop	A user starts or stops a production.	Action (start or stop) and the username for the initiator of the action. Only on Ensemble instances.	On
%Ensemble	%Schema Modify	A user creates, modifies, or deletes a schema structure.	A summary of the change. Only on Ensemble instances.	On
%System	%DirectMode/ DirectMode	Any command is executed in direct mode.	The text of command.	Off
%System	%Login/ JobEnd	The JOB command ends a background job.	None. See the Description for the name of the routine or class method.	Off
%System	%Login/ JobStart	The JOB command starts a background job.	None. See the Description for the name of the routine or class method.	Off
%System	%Login/ Login	A user successfully logs in.	The protocol, port number, process ID, and application associated with the login. The user’s login roles.	Off
%System	%Login/ LoginFailure	A login attempt fails.	Username.	Varies*
%System	%Login/ Logout	A user logs out.	The application (and, if relevant, the class) associated with the logout.	Off
%System	%Login/ TaskEnd	The Task Manager ends a process.	None. See the Description for the name of the task.	Off
%System	%Login/ TaskStart	The Task Manager starts a process.	None. See the Description for the name of the task.	Off
%System	%Login/ Terminate	A process terminates abnormally.	Varies, as does the Description field’s content; see below.	Off
%System	%SMPExplorer/ Change	Data is altered using the Portal, such as by creating, editing, deleting, compiling, dropping, replacing, or purging classes or tables.	Varies, as does the Description field, depending on the action taken. Includes relevant content such as the compile flags or the schema and table being dropped.	Off
%System	%SMPExplorer/ ExecuteQuery	A query is executed using on the Portal’s SQL page.	The syntax of the executed query.	Off
%System	%SMPExplorer/ Export	Data is exported through the Portal.	The options selected for data export.	Off
%System	%SMPExplorer/ Import	Data is imported through the Portal.	The options selected for data import.	Off
%System	%SMPExplorer/ ViewContents	Data is viewed through the Portal.	The filters that determined what data was viewed. The Description field specifies what was viewed, such as a list of classes, an individual global, or process information.	Off
%System	%SQL/ DynamicStatement	A dynamic SQL call is executed.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%SQL/ EmbeddedStatement	An embedded SQL call is executed. See below for usage details.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%SQL/ PrivilegeFailure	Event defined, but not available for auditing until a future release.	N/A	Off
%System	%SQL/ XDBCStatement	A remote SQL call is executed using ODBC or JDBC.	The statement text and the values of any host-variable arguments passed to it. If the total length of the statement and its parameters exceeds 3,632,952 characters, the event data is truncated.	Off
%System	%Security/ ApplicationChange	An application definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new application data.	On
%System	%Security/ AuditChange	Auditing is stopped or started, entries are erased or deleted, or the list of events being audited is changed.	Action (stop, start, erase, delete, or specify), old and new audit settings.	On
%System	%Security/ AuditReport	Any standard audit report is run.	Identification of audit report.	On
%System	%Security/ DBEncChange	There is a change related to database or data-element encryption.	Varies, as does the Description field’s content. See below.	On
%System	%Security/ DocDBChange	A document database application definition is created, changed, or deleted.	A summary of the change and a list of the current values, if applicable.	On
%System	%Security/ DomainChange	A domain definition is created, changed, or deleted.	Action (new, modify, delete), old and new domain data.	On
%System	%Security/ KMIPServerChange	A KMIP server definition is created, changed, or deleted, or KMIP servers are exported or imported.	A summary of the action and a list of the current values, if applicable. See the Description for additional details.	On
%System	%Security/ LDAPConfigChange	An LDAP configuration is created, changed, or deleted.	A summary of the change and a list of the current values, if applicable.	On
%System	%Security/ OpenAMIdentityServicesChange	OpenAM Identity Services records are exported or imported.	File name and the number of records exported to or imported from the file.	On
%System	%Security/ PhoneProvidersChange	Event defined, but not available for auditing until a future release.	N/A	On
%System	%Security/ Protect	A process generates a security protection error.	The error.	Off
%System	%Security/ ResourceChange	A resource definition is created, changed, or deleted.	Action (new, modify, or delete), old and new resource data.	On
%System	%Security/ RoleChange	A role definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new role data.	On
%System	%Security/ SSLConfigChange	An SSL/TLS configuration’s settings are changed.	The changed fields with old and new values.	On
%System	%Security/ ServiceChange	A service’s security settings are changed.	Old and new service security settings.	On
%System	%Security/ SystemChange	System security settings are changed.	Old and new security settings.	On
%System	%Security/ UserChange	A user definition is created, changed, or deleted.	Action (create new, modify, or delete), old and new user data.	On
%System	%Security/ X509CredentialsChange	A user creates, updates, or deletes a set of X.509 credentials.	Varies by event. See below	On
%System	%Security/ X509UserChange	Event defined, but not available for auditing until a future release.	N/A	On
%System	%System/ AuditRecordLost	An audit entry has not been added to the audit database due to resource limitations that constrain the audit system (such as disk or database full).	None.	On
%System	%System/ ConfigurationChange	Caché successfully starts with a configuration different than the previous start, a new configuration is activated while Caché is running, or a lock is deleted through the Portal or through the ^LOCKTAB utility.	Username for the user who made the change; previous and new values of the changed element. For deleted locks, information about which lock was deleted.	On
%System	%System/ DatabaseChange	There are changes to database properties. See below.	Details about the particular change. See below.	On
%System	%System/ JournalChange	Journaling is started or stopped for a database or process.	When journaling is started, the name of the database and its maximum size; when journaling is stopped, none.	On
%System	%System/ OSCommand	An operating-system command is issued from within the system, such as through a call to the $ZF(-100) function.	The operating system command that was invoked; the directory in which it was invoked; and any flags associated with the command.	On
%System	%System/ RoutineChange	A method or routine is compiled or deleted on the local instance. For more details, see below.	No content, though the Description field depends on the change itself; see below.	Off
%System	%System/ Start	The system starts.	Indication of whether recovery was performed.	On
%System	%System/ Stop	Caché is shut down.	None.	On
%System	%System/ SuspendResume	A process is suspended or resumed.	The process ID of the process.	Off
%System	%System/ UserEventOverflow	An application attempts to log an undefined event.	The name of the event that the application attempted to log.	On

*The LoginFailure event is off by default for minimal-security installations; it is on by default for normal and locked-down installations.

Important:

If auditing is enabled, then all enabled events are audited.

About the %System/%Login/Logout and %System/%Login/Terminate Events

A process generates a %System/%Login/Logout event if the process ends because of:

A HALT command
Exiting application mode because of a QUIT command
Executing the TerminateOpens in a new tab method of the SYS.ProcessOpens in a new tab class to terminate itself (which is the same as executing HALT).

A process generates a %System/%Login/Terminate event if the process exits for any other reason, including:

The user closes the Terminal window, resulting in a Terminal disconnect. If the process is in application mode, the Description field of the audit record includes the statement “^routinename client disconnect” (where routinename is the first routine that the process ran); if the process is in programmer mode, the Description field includes the statement “Programmer mode disconnect.”
A Terminal session is ended by an action in another process, including ^RESJOB, ^JOBEXAM, or the Management Portal. If the process is in application mode, the Description field of the audit record includes the statement “^routinename client disconnect” (where routinename is the first routine that the process ran) ; if the process is in programmer mode, the Description field includes the statement “Programmer mode disconnect.” Note that the event data will contain the pid of the process which terminated them.
A core dump or process exception. When a process gets a core dump or exception, it is too late for it to write to the audit file. Therefore, when the clean daemon runs to clean up the state of the process, it writes an audit record to the log with a description “Pid <process nunber> Cleaned”.
A TCP Client disconnect. When a process detects that a client has disconnected, this results in an audit record with a Description field which contains the name of the executable that disconnected, such as “<client application> client disconnect”.

About the %System/%SQL/EmbeddedStatement Event

To use the %System/%SQL/EmbeddedStatement event, you must both enable the event and the #sqlcompile audit macro preprocessor directive:

 #sqlcompile audit = ON

For reference information, see the “#sqlcompile audit” section in the “ObjectScript Macros and the Macro Preprocessor” chapter of Using ObjectScript.

If %System/%SQL/EmbeddedStatement is enabled, then executing any embedded SQL after a #sqlcompile audit = ON directive generates an EmbeddedStatement audit event. For example:

   ...
 #sqlcompile audit = ON
   ...
  &sql(delete from MyTable where %ID = :id)
  // This statement is audited at runtime if %System/%SQL/EmbeddedStatement is enabled.

   ...

 #sqlcompile audit = OFF
   ...
  &sql(delete from MyOtherTable where %ID = :id)
  // This statement is not audited at runtime even if %System/%SQL/EmbeddedStatement is enabled.
   ...

Because an application may have hundreds or thousands of SQL statements (such as those generated as part of compiled class code and those included in system code), the combination of the audit event and the preprocessor directive allows you to be selective in defining which embedded SQL statements to audit.

Additional notes:

The #sqlcompile audit = ON directive on an INSERT, UPDATE, or DELETE statement does not cause the embedded SQL code in any trigger to be audited. To audit a nested SQL statement, you must include an additional #sqlcompile audit = ON directive in the nested code. For example, if trigger code contains embedded SQL, there must be a #sqlcompile audit = ON directive in that trigger code.
The results of the audited statement are not recorded.

You can audit all embedded SQL statements except:

%BEGTRANS
%CHECKPRIV
%INTRANS
%INTRANSACTION
COMMIT
GET
ROLLBACK
SAVEPOINT
SET OPTION
STATISTICS

About the %System/%Security/DBEncChange Event

A process generates a %System/%Security/DBEncChange event because of:

Encryption key activation
Encryption key deactivation
Encryption key and key file creation
Encryption key file modification
Encryption settings modification, such as enabling interactive database encryption activation at startup.

The EventData includes data relevant to the event, such as the encryption key ID and key file or a key file administrator name.

About the %System/%Security/X509CredentialsChange Event

For create or update operations, the event data lists the changed properties, subject to security considerations. For Subject Key Identifier and Thumbprint, the event data is a hexadecimal string of space-separated one-byte words; for Certificate, PrivateKey, PrivateKeyPassword, and PrivateKeyType, there is no event data.

For delete operations, there is no event data.

About the %System/%System/DatabaseChange Event

A process generates a %System/%System/DatabaseChange because of any of the following changes to a database:

Creation
Modification
Mounting
Dismounting
Compaction
Truncation
Global compaction
Defragmentation

For creation and modification, changes to the following properties cause auditing events (which are included in the event data):

BlockSize (Create only)
ClusterMountMode (Cluster systems only)
ExpansionSize
GlobalJournalState
MaxSize
NewGlobalCollation
NewGlobalGrowthBlock
NewGlobalIsKeep
NewGlobalPointerBlock
ReadOnly
ResourceName
Size

For mounting and dismounting, the event data records the database that was mounted or dismounted. For compaction, truncation, global compaction, and defragmentation, the event data includes include the parameters that the user selected.

About the %System/%System/RoutineChange Event

A process generates a %System/%System/RoutineChange event because a routine has been compiled or deleted. When enabled, this event causes a record to be written to the audit log whenever a routine or class is compiled. The Description field of the audit record includes the database directory where the modification took place, what routine or class was modified, and the word “Deleted” if the routine was deleted.

Caché audits events on the local server but not for associated instances. For example, if one instance of Caché is an application server that is associated with another instance that is a database server, creating and compiling a new routine on the application server is not audited on the database server, even if the RoutineChange audit event is enabled on the database server. To create a comprehensive list of all changes on all associated instances, enable the relevant events on all the instances and combine their audit logs.