Categories
Knowledge Support Support Categories Products exacqVision Integrations

Audit Trail Format

**INTERNAL**

Here are a couple example lines from an audit trail file. Both the audit and logs subdirectories under core are managed virtually identically, with file naming, and with how the oldest files are deleted after a configurable amount of time.

1334844630;11;1;0;10.0.2.2:55650;Admin;””;

1334844649;6;1;0;10.0.2.2:55650;Admin;””;<?xml ?> 1334680687;4;3;0;10.0.2.2:60018;Admin;”Alarm Output 1, Input 1, Input 1x, Input 2, Input 3, Trigger Input 1″;<?xml ?>

ipAddress=”192.168.102.238″ Port=”80″ username=”root” Enabled=”1″

OEM=”Vivotek” />

1334680702;5;1;0;10.0.2.2:60018;Admin;”Input 1x”;<?xml ?>

Field 0 – timestamp in seconds

Field 1 – eDVR packet type

Field 2 – eDVR packet subtype

Field 3 – eDVR packet status (almost always expected to be 0 – the only exception I can think of offhand is invalid login) Field 4 – system IP address:port Field 5 – eV username Field 6 – cached names (if found) Field 7 – XML snippet (if existing)

Packet Types:

0 – PACKET_TYPE_RESERVED

1 – PACKET_TYPE_DISCOVER

2 – PACKET_TYPE_LOGIN

3 – PACKET_TYPE_STATUS

4 – PACKET_TYPE_CONFIG

5 – PACKET_TYPE_LIVE

6 – PACKET_TYPE_STORED

7 – PACKET_TYPE_KEY

8 – PACKET_TYPE_PTZ

9 – PACKET_TYPE_LICENSE

10 – PACKET_TYPE_BINARY

11 – PACKET_TYPE_CLIENT_AUDIT

Packet Subtypes:

 1 – Generally means request (client sends to server)

 2 – Generally means response (server responds to client)

 3 – Config update requests from clients will often be 3

(CONFIG_SUBTYPE_UPDATE_REQ)

 4 – Config update asks from servers will often be 4

(CONFIG_SUBTYPE_UPDATE_ACK)

So #1 above with 11/1/0 means PACKET_TYPE_CLIENT_AUDIT request from client, telling the server that it will report whenever it does any client-side actions like export video, print image, etc.

#2 above with 6/1/0 means PACKET_TYPE_STORED request from client, with the accompanying search XML. From that you can see an LDAP query was being attempted from the user config panel, or enterprise users.

#3 above with 4/3/0 means PACKET_TYPE_CONFIG/CONFIG_SUBTYPE_UPDATE_REQ,

with the accompanying config update XML. Form that you can see exactly what the client was trying to update. In this case, field 6 (cached names) actually captures the camera/trigger/etc. names that it recognizes in the XML.

#4 above with 5/1/0 means PACKET_TYPE_LIVE request from client, where it’s trying to subscribe to stream ID 1641472. There actually is a way to figure out the specific plugin from that number, if you need to know that.