Browse Prior Art Database

# Method of Sorting the Audit Event Records in an Audit Trail File

IP.com Disclosure Number: IPCOM000118775D
Original Publication Date: 1997-Jul-01
Included in the Prior Art Database: 2005-Apr-01
Document File: 6 page(s) / 106K

IBM

Tran, TM: AUTHOR

## Abstract

Disclosed is an Algorithm for sorting the Audit Event Records (AERs) in an Audit Trail file. The sort can be specified in either ascendent or descendent order.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 41% of the total text.

Method of Sorting the Audit Event Records in an Audit Trail File

Disclosed is an Algorithm for sorting the Audit Event Records
(AERs) in an Audit Trail file.  The sort can be specified in either
ascendent or descendent order.

The sorting Algorithm presented in this paper is an extended
version of the Indexing Algorithm.  It is constructed based on two
The second  Linked List is called the Column Linked List.  The Row
Linked List contains the Audit Event Record and a double linked list
to traverse the AERs in either way.  The Column Linked List contains
the following  members:
o  Ei which is called the Indexing Event number
o  The pointer, ards which points to the Row Linked List
o  The pointer, ard_head which points to the head of the Row
o  The pointer, ard_tail which points to the tail of the Row
o  The flag, tail_set which is set when ard_tail is set

Notice that the double linked list in the Row Linked List and
Column Linked List are used for traversing purposes.

With the introductions of the Row and Column Linked List, the
sorting Algorithm can be implemented by the following steps:
1.  Read the Audit Event Record into a buffer
2.  Build the Column Linked List based on the Event number
3.  Build the Row Linked List based on the Event number
4.  Repeat step 1 until EOF

The structures of the Linked Lists are defined as below:
typedef struct _ard_t {
dce_aud_rec_t  ard;          /* audit record data         */
struct _ard_t *next;         /* point to the next record  */
struct _ard_t *prev;         /* point to the prev record  */
}
typedef struct _ep_t {
unsigned32     event;        /* event index               */
struct _ard_t *ards;         /* Audit record list         */
struct _ard_t *ard_tail;     /* point to tail of the ards */
boolean32      tail_set;     /* flag to set the ard_tail  */
} ep_t;

The first step is implemented in the dce_aud_event_table() routine:
void dce_aud_event_table
(
dce_aud_trail_t at,
ep_t **ep_table,
unsigned32 *status
) {
dce_aud_rec_t  ard;
boolean32     done = FALSE;
if (at == NULL) {
dce_svc_printf(AUD_S_INVALID_TRAIL_DESCRIPTOR_MSG);
...