Reading the Audit Log

Once the audit log is activated, an audit log application should periodically check the logs on the Intel AMT platforms under its surveillance. The application can be programmed to watch for certain events, such as failed attempts to connect with Intel AMT. Each record in the log contains fields identifying the user that initiated an auditable event and the time the event occurred.

Audit Log Record Format

The following table shows the format of returned audit log records. The InitiatorData field identifies the user who initiated the event.

Field

Field type

Description

AuditAppID

uint16

A unique ID for each auditable application.

Note that this field is returned in Big-Endian format.

EventID

uint16

ID of an event of the application.

Note that this field is returned in Big-Endian format.

InitiatorType

uint8

HTTP Digest username 0

Kerberos SID                1

Local                            2

KVM Default Port          3

InitiatorData

HTTPDigestInitiatorType
or
KerberosSIDInitiatorType

See type descriptions below. When InitiatorType is Local or KVM Default Port, the field is empty (size 0).

Note: In Intel AMT Release 4.0 Initiator data for HTTPDigestInitiatorType includes Username with null-terminator (‘\0’) and Username_length includes the null terminator.

TimeStamp

uint32

Time when the event occurred, in seconds since 1/1/1970.

Note that this field is returned in Big-Endian format.

MCLocationType

uint8

IPv4 Address    0
IPv6 Address    1
None                2

NetAddressLength

uint8

Length of NetAddress field.

NetAddress

Array of uint8

ASCII representation of the network address of management console or Local Host IP (e.g. “127.0.0.1”). If the connection is via an MPS, the value will be a proxy address.

In Intel AMT Release 4.0, IP address representation includes null-terminator (‘\0’) and NetAddressLength includes the null terminator.

ExtendedDataLength

uint8

Length of event specific data.

ExtendedData

Array of uint8

Event specific data defined for each event in the Auditable Events table. 

 

One of the following structures appears in each audit log record.

HTTPDigestInitiatorType

HTTP Digest user details

typedef _HTTPDigestInitiatorType

{

    uint8 Username_length;

    uint8 Username[];

} HTTPDigestInitiatorType;

 

Field

Description

Username_length

Length of user name

Username

HTTP Digest user name (up to 16 bytes)

 

KerberosSIDInitiatorType

Kerberos user details

typedef _KerberosSIDInitiatorType

{

    uint32      UserInDomain;    

    uint8       Domain_length;

    uint8       Domain[];

} KerberosSIDInitiatorType;

 

Field

Description

UserInDomain

SID number of the user

Domain_length

Length of domain ( up to 255)

Domain

Kerberos domain ( up to 255 bytes long)

 

See Also:

   Read the Audit Log

   Clear the Audit Log

Copyright © 2006-2022, Intel Corporation. All rights reserved.