All audit records have the same structure. They consist of a list of fields, each field containing an item of auditable information.
If nothing other than SAT commands and SATUT statements is used, no knowledge of the structure of the SATLOG files is required.
The information given in the following is only important if system exit No. 110 is used or when explicit file analysis is performed in the event of an error.
Note
The structure of the records is dependent on the version, and is described by the macro EXIT110 (see the “System Exits” manual [18]).
Header records / trailer records
Audit records are prefixed / suffixed by SAT-specific records containing information relating to the special events “start / end of SATLOG file”. These specific records are created directly by the file handling and are not forwarded to CLIP.
The header record (ZBG) contains the following:
system version
system name
reason for creating the file (startup, resume logging...)
name of the preceding SATLOG file (if any)
CPU identification
system identification
name of the configuration
The trailer record (ZND) contains the following:
name of the next SATLOG file of this session
reason for closing the file (shutdown, change file...)
Records
The fields of each audit record are arranged as follows:
The first part of the record is invariable and contains the fields/items of information that are always logged for any record.
Field name
Length
Meaning
user-id
8
User ID of the subject
Invariable part
Length 28 characterstsn
4
TSN of the subject
evt
3
Abbreviated event name
res
1
Result of the event (S/F)
4
Date of creation
Format: X‘yyyymmdd‘4
Time of creation
Format: X‘hhmmss00‘4
Reserved area
The second part of the record is variable. It includes the fields/items of information which may but need not be logged for any record (e.g. auditid, groupid), as well as the fields/items of information logged for specific objects only (see section “Tables of auditable information on object-related events (1)”). These are variable-length fields. Each field in the variable part contains the actual length of the information, the exit identifier for the SAT information and the information itself
ln1
id1
<info1>
variable part
variable lengthln2
id2
<info2>
ln3
id3
<info3>
...
...
...
ln n:
Length of the logged information <info n> of field n (1 byte)
In the case of *LNG fields, this field contains the value 255.
id n:
Exit identifier for the SAT information contained in field n (2 bytes)
In the case of *LNG fields, this field contains the negative value of the exit identifier.
info n:
Logged information of field n (field value, in n bytes); keywords are binary-coded.
*LNG fields
*LNG fields are fields whose length exceeds 255 characters. If necessary they are split over several audit records and are structured as follows:
255 | - id | ln | 0 | <info1> | First or only audit record for the *LNG field | |
255 | - id | ln | displ | <info n> | Continuation record for a *LNG field if this |
ln:
Overall length of logged information for the *LNG field (2 bytes).
- id:
Exit identifier for the SAT information which is contained in a *LNG field (2 bytes, value is negative).
displ:
Displacement of first byte of subsection “info n” from the start of the total information (2 bytes)
info n:
n-th section of the logged information of the *LNG field
The maximum length of a SATLOG record in the SATLOG file is 1000 bytes. The unsplit SATLOG record is made available to the EXIT routine. The maximum length is 32752 bytes, displ is always 0.