Intel AMT Features > General Info > Use Cases > Read Audit Log Record
CollapseAll image

Read Audit Log Record

The following steps describe how to read the records in the audit log.

1.  Retrieve the instance of AMT_AuditLog, where the “Name” key equals “Intel(r) AMT:Audit Log”.

2.  Invoke AMT_AuditLog.ReadRecords(uint startIndex, uint outTotalRecordCount, uint  outRecordsReturned, string[] outEventRecords).

3.  Examine TotalRecordCount, RecordsReturned, and EventRecords to see the event records.

See cfggetauditlogrecords and cfggetauditlogsignature for the commands required for reading the Intel AMT Audit log via the Intel MEI interface – available also when Intel AMT is disabled or not provisioned.

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$auditLogRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_AuditLog WHERE Name='Intel(r) AMT:Audit Log'")

$inputObject =$auditLogRef.CreateMethodInput("ReadRecords")

$inputObject.SetProperty("StartIndex","1")

$outputObject =$auditLogRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

if($returnValue -like "0")

{

    $totalRecordCount =$outputObject.GetProperty("TotalRecordCount")

    $recordsReturned =$outputObject.GetProperty("RecordsReturned")

    $eventRecords =$outputObject.GetProperty("EventRecords")

}

 

 

Additional Information

This routine returns a list of a number of consecutively recorded audit log entries in time order (oldest first).

The first time the message is sent, the sending application should set StartIndex to 1. If the response indicates that the function returned an incomplete list (TotalRecordCount is greater than the number returned so far), the application can send another message, this time specifying the position in the list after the last record returned in the previous response. For example, if the Intel AMT device returned twenty records in the first request, set StartIndex to 21 and call again.

Records are returned in time order: The first audit event record in the returned array is the oldest record stored in the Intel AMT device audit log.

If no event log records exist, then the function will always return PT_STATUS_SUCCESS with an empty list and TotalRecordCount = 0.

The function will return audit log records even if the feature is disabled or locked.

Instance Diagram

Classes Used in This Flow

   AMT_AuditLog

SDK Sample

Copyright © 2006-2022, Intel Corporation. All rights reserved.