Viewing audit events with MS Event Viewer - what protocol or API?

reide · ‎2010-09-14

I have a customer who is trying to automate the process of reading CIFS audit logs from a NetApp array. The customer knows that they can view audit events with Microsoft Event Viewer on a Windows client. However, they're attempting to have a home-grown program read the audit events from the array rather than rely on MS Event Viewer. They want to know what protocol or API Microsoft Event Viewer uses to read the audit events off the NetApp array. That way, they can write their own routine to do the same.

Customer is under the impression that Microsoft uses two possible methods to read these event logs remotely, but they're not sure which one NetApp uses.

Any ideas on what specification NetApp follows when it comes to sharing audit events to windows clients?

reide · ‎2010-09-17

More information on this question. For ONTAP 7.3 and later, which version of the Microsoft Event Log API do we use?

Prior to Windows Vista, Microsoft used the Event Logging API (http://msdn.microsoft.com/en-us/library/aa363652.aspx).

From Vista and later, it introduced the Windows Event Log API (http://msdn.microsoft.com/en-us/library/aa385780.aspx)

While they are similarly named, they have different functionality and requirements from a collection standpoint.

reide · ‎2010-09-22

Answered:

The new windows event log APIs in Microsoft Vista provide APIs for event log consumers to read and render the events (apart from ETW event generation support). The new API seems to handle event records in a new XML format, as against binary format of the older API.

NetApp Auditing subsystem generates old binary EVT format logs. We are not sure if the new windows event log APIs are backward compatible to consume our records, but we do work with old methods which are still functional and available today.

Viewing audit events with MS Event Viewer - what protocol or API?

Get ready to power on