Novell XDASV2 - ADMINISTRATION GUIDE V1 Administration Manual page 37

XDAS Field
Initiator
Action
Event
Id
Name
Data
Log
Outcome
Time
Offset
Sequence
Description
The initiator of an event is the authenticated entity that initially provoked
creation of the event. Note that an initiator need not be identified. If the entity
can't be identified - perhaps an entity is attempting to login, thus provoking the
generation of a login event by an observer - then as much information about
the origin of the event as possible should be specified. NOTE: In the special
case of a login event, the authenticated identity of the initiator is not yet known
until after the login attempt has succeeded. Therefore a failed login event
should not give the identity of the target account as the identity of the initiator.
An intiator is described in terms of an account and an entity (described below),
as well as an optional set of assertions. These assertions describe, in terms of
a set of name/value pairs, the attributes of the initiator identity. Some initiators
are not known by a specific account, but are known only by a set of assertions
(SAML2, for instance) that describe the rights of the actor. The schema is not
defined for these assertions, as they will be different for each class and
potentially for each individual object.
The action identifies the event that is being recorded. This field provides the
XDASv2 event identifier, as well as an outcome code (success, or failure
class), and the time the event occurred, with as much accuracy as possible.
The event field is the key to XDAS events. Event encapsulates a taxonomical
identifier and a short descriptive name for human readability.
The event Id code represents the event identifier, defined by the XDASv2
standard event taxonomy, and extensions defined by the Novell CSS product.
The event name is a human readable representation of the event identifier.
The event name is optional, but recommended for readability.
The event data provides additional descriptive information about the event.
The log field contains standard syslog-like log-level values, in terms of
Severity and Facility numeric identifiers. The log field is optional, as well as
every sub-field within the log field. These values should only be used when
necessary, as they generally represent judgment calls on the part of the
instrumentor. Such judgment calls are best left to analysis software or
engineers once the event data is collected.
For details on outcome codes, see
page 39.
The event time is the time recorded by the observer at the point the event was
committed to the event service. Time values are gathered by the XDAS client
helper library. Thus, there is no reason to be concerned about values stored in
this field, as the helper library will attempt to be as accurate as possible when
generating time information.
The offset field contains a value representing the number of seconds since
midnight, January 1, 1970 - otherwise known as the Unix epoch.
The sequence field contains a unique numeric value identifying this event from
another event which may have been recorded within the same second. For
the most part, this value should be taken as a monotonically increasing
numeric value that begins at zero and continues until the next second
boundary, at which point, it begins again at zero.
Section B.3, "Outcome Codes," on
XDASv2 Schema 37