Security Audit Log Events

The following table  describes the Security Audit Log events events (App ID = 20). Beginning in Release 8.0, all Security Audit Log events are enabled by default.

Event Name

ID

Description

Parameters

Trigger

Security Audit Log Cleared

0

Audit log was cleared.

Note: This event is always written to the Log and it cannot be flagged as critical.

None

The event is logged after completing a successful clear of the log.

WS-MAN: ANT_AuditLog.ClearLog

Security Audit policy modified

1

Audit policy event was Enabled or Disabled

None

WS-MAN:

AMT_AuditPolicyRule.SetAuditPolicy

AMT_AuditPolicyRule.SetAuditPolicyBulk

Events are logged even if the methods return with an error.

Security Audit Log Disabled

2

Access monitor feature disabled.

Note: This event cannot be flagged as critical.

None

WS-MAN: AMT_AuditLog.RequestStateChange is called with RequestedState = Disabled

Security Audit Log Enabled

3

Access monitor feature enabled.

Note: This event cannot be flagged as critical.

None

Event is logged after successfully enabling Access Monitor feature.

WS-MAN: ANT_AuditLog.RequestStateChange is called with RequestedState = Enabled

Security Audit Log Exported

4

Audit log signature and log-related information exported.

Note: This event cannot be flagged as critical.

None

The event is logged after successfully exporting audit log signature.

WS-MAN: AMT_AuditLog.ExportAuditLogSignature

Security Audit Log Recovered

(In Intel AMT Release 5.1 and later releases.)

5

Internal check of audit log resulted in a recovery action.

Note: This event is always written to the Log and it cannot be flagged as critical.

UINT8 Reason

0 – Unknown

1 – Migration failure

2 – Initialization failure

Internal problem detected by firmware.

Copyright © 2006-2022, Intel Corporation. All rights reserved.