Appendix: Database Schema and Audit Event Log Data
If immutable data is stored permanently elsewhere in the database, it is not duplicated
in the log entry. For example, when a new policy is published, the complete policy text
is not included in the log entry. Instead, its version number is referenced, so that the
complete data of the event can be reconstructed from PolicyDb_ RuntimePolicy and
PolicyDb_Access tables if necessary.
N
ACE Management Server does not log sensitive data like passwords or
OTE
encryption keys.
The event type code is associated with a lookup table PolicyDb_EventType, which
contains a text message template for each type of event, category, and log level of the
event. The message can contain %s parameter placeholders, in which case the Message
Parameters field in the log entry contains a tab‐delimited list of values for these
parameters. For example, an instance administration event with type = 4110 has the
following message:
4110 -> "Instance Set Guest Info requested, IP address = %s, MAC
address %s, configuration message \"%s\", machine name \"%s\",
configuration status %s"
In this example, the Message Parameters field shows:
10.17.0.3
00:0C:29:1A:2B:3C
OK
ACETest
0
The resulting parameters replace the %s placeholders in the message template.
ACE Management Server event logging contains an experimental tamper evidence
feature. Every record in the event log (except the first one) must have a unique reference
to the previous event, further enforced by the database foreign key and unique
constraint. Each successive record has a unique ID incremented by 1, so missing records
are immediately evident. If a user with direct access to the database changes, adds, or
removes some records, the user must change either the previous event pointer or other
data in the remaining event records. Data within every record is hashed together with
a server key and is stored in the eventSignature field.
For more information about event categories, configuring levels of event logging for
each category, and purging old events to keep the table size in check, see "Logging
Events" on page 49.
VMware, Inc.
83