CollapseAll image

Read the Audit Log

The following steps describe how to read the Audit log records.

1.  Retrieve the instance of AMT_AuditLog, where the “Name” key equals “Intel(r) AMT:Audit Log”.

2.  Invoke AMT_AuditLog.ReadRecords.

 Note:

To ensure you retrieve the correct information, Intel recommends that you wrap the ReadRecords method with the lock and unlock methods (see Lock and Unlock the Audit Log).

These fields return data in Big-Endian format:

   AuditAppID

   EventID

   Timestamp

 

Click here for a snippet demonstrating this step

You can execute this snippet by inserting it into the execution template found here.

  

$auditLogRef =$wsmanConnectionObject.NewReference("SELECT * FROM AMT_AuditLog WHERE Name='Intel(r) AMT:Audit Log'")

$inputObject =$auditLogRef.CreateMethodInput("ReadRecords")

$inputObject.SetProperty("StartIndex","1")

$outputObject =$auditLogRef.InvokeMethod($inputObject)

$returnValue =$outputObject.GetProperty("ReturnValue")

if($returnValue -like "0")

{

    $totalRecordCount =$outputObject.GetProperty("TotalRecordCount")

    $recordsReturned =$outputObject.GetProperty("RecordsReturned")

    $eventRecords =$outputObject.GetProperty("EventRecords")

    $eventRecordsBytes =[System.Convert]::FromBase64String($eventRecords.Item(0))

    $toBits1 =[system.Convert]::ToString($eventRecordsBytes[0], 2)

    $toBits2 =[system.Convert]::ToString($eventRecordsBytes[1], 2)

    $toBits1 =[string]::Join("",$toBits2)

    $auditAppID =[system.Convert]::ToInt32($toBits1, 2)

}

 

 

Instance Diagram

Classes Used in This Flow

   AMT_AuditLog

SDK Sample

If there is a sample demonstrating this flow, it is included in the SDK installation file. See SDK Installation Layout for details.

 

See Also:

   Reading the Audit Log

   Auditor Notification Alert

   View the Audit Policy Details

Copyright © 2006-2022, Intel Corporation. All rights reserved.