The audit log data is output to the event log file in Windows or to the syslog file in Linux.
The following shows the format of data output to the audit log:
In Windows:
program-name [process-ID]: message-part
In Linux:
syslog-header-message message-part
The format of the syslog-header-message differs depending on the OS environment settings. If necessary, change the settings.
For example, if you use rsyslog and specify the following in /etc/rsyslog.conf, messages are output in a format corresponding to RFC5424:
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
The format and contents of message-part are described below. In message-part, a maximum of 953 single-byte characters can be displayed in a syslog file.
uniform-identifier,unified-specification-revision-number,serial-number,message-ID,date-and-time,detected-entity,detected-location,audit-event-type,audit-event-result,audit-event-result-subject-identification-information,hardware-identification-information,location-information,location-identification-information,redundancy-identification-information,agent-information,request-source-host,request-source-port-number,request-destination-host,request-destination-port-number,batch-operation-identifier,log-data-type-information,application-identification-information,reserved-area,message-text
| Item* | Description |
|---|---|
| uniform-identifier | Fixed to CELFSS. |
| unified-specification-revision-number | Fixed to 1.1. |
| serial-number | Serial number of audit log messages. |
| message-ID | Message ID. |
| date-and-time | The date and time when the message was output. This item is output in the format of yyyy-mm-ddThh:mm:ss.stime-zone. |
| detected-entity | Component or process name. |
| detected-location | Host name. |
| audit-event-type | Event type. |
| audit-event-result | Event result. |
| audit-event-result-subject-identification-information | Account ID, process ID, or IP address corresponding to the event. |
| hardware- identification-information | Hardware model or serial number. |
| location-information | Identification information for the hardware component. |
| location-identification-information | Location identification information. |
| FQDN | Fully qualified domain name. |
| redundancy-identification-information | Redundancy identification information. |
| agent-information | Agent information. |
| request-source-host | Host name of the request sender. |
| request-source-port-number | Port number of the request sender. |
| request-destination-host | Host name of the request destination. |
| request-destination-port-number | Port number of the request destination. |
| batch-operation-identifier | Serial number of operations through the program. |
| log-data-type-information | Fixed to BasicLog or DetailLog. |
| application-identification-information | Program identification information. |
| reserved-area | Not output. This is a reserved space. |
| message-text | The contents vary according to the
audit events. Characters that cannot be displayed are output as asterisks (*). |
| *: Some items are not output for some audit events. | |
The following is an example of the message portion of an audit log login event:
CELFSS,1.1,3,KNAE20002-I,2021-09-03T21:31:56.8+09:00,HAD,managementhost,Authentication,Success,subj:uid=sysadmin,autoAuth,Login,BasicLog,HAD,"Login was successful."