The audit APIs can be used to write audit trail analysis and examination tools that selectively review the following:
· Events that are invoked by one or more subjects, for example, principals, groups, and cells
· Events that have a specific outcome
· Events that occurred during a specified time period
· Events that have specific event IDs
In its most basic form, an audit trail analysis and examination tool must perform five functions:
· Open an audit trail file for reading
· Read the audit records into a buffer
· Transform the audit records into human-readable form
· Discard the audit record
· Close the audit trail file
These functions and the APIs that are used for each are discussed in the following topics.
More:
Opening an Audit Trail File for Reading
Reading the Desired Audit Records into a Buffer
Transforming the Audit Record into Readable Text