GIM Category: audit
The Audit category includes events that describe the health, configuration, and integrity of a system’s auditing subsystem. These events indicate whether the audit service is running, if its policies have changed, or if audit logs have been cleared or corrupted. Unlike user activity logs, audit category events reflect the state of the mechanisms that record and preserve those logs. Monitoring these events is critical for ensuring compliance, detecting tampering, and verifying that audit controls remain active and trustworthy.
integrity
Events that report on the integrity or preservation of a system’s audit trail. These messages indicate that audit data has been deleted, cleared, or otherwise modified in a way that could impact the completeness or reliability of audit records. Integrity events differ from audit service state changes in that they focus on the audit log content itself, not the operational status of the audit subsystem. Such events are critical for detecting potential tampering or attempts to conceal activity.
Required Fields
sourcevendor_event_action
Optional Fields
user_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
220000 |
audit |
audit.integrity |
audit log cleared |
The audit log for a system has been cleared |
state
Events that describe the operational state of a system’s audit subsystem, such as when the audit service starts, stops, or encounters an error. These events reflect whether the auditing process responsible for generating or storing audit logs is running and functioning properly. Monitoring these state transitions is essential for ensuring audit continuity — if the audit service is stopped or fails, no further audit data can be collected.
Required Fields
sourcevendor_event_action
Optional Fields
user_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
220100 |
audit |
audit.state |
audit service started |
The system’s auditing component or service has started successfully. This indicates that audit collection and logging have resumed after being stopped or unavailable. |
|
|
220101 |
audit |
audit.state |
audit service stopped |
The system’s auditing component or service has stopped. While this may occur during normal maintenance, it can also indicate that auditing has been disabled or disrupted. |
|
|
220102 |
audit |
audit.state |
audit error |
An error occurred in the auditing subsystem, preventing it from recording events reliably. This may indicate corruption, misconfiguration, or resource exhaustion within the audit service. |
policy
Events that describe changes to the system’s audit configuration or policies. Audit policy events occur when administrators modify which activities are audited, how audit data is retained, or where it is stored. These changes can significantly affect visibility and compliance posture — for example, disabling process tracking or account logon auditing reduces the scope of collected evidence. Policy change events should be closely monitored and correlated with administrative actions to detect unauthorized modifications.
Required Fields
sourcevendor_event_action
Optional Fields
user_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
220500 |
audit |
audit.policy |
audit policy changed |
The system’s audit configuration or policy was modified. This may include enabling or disabling audit categories, changing log retention settings, or altering audit destinations. Such changes can affect what events are captured and should be reviewed for authorization and compliance. |
default
The default subcategory is used for audit-related events that do not match a more specific subcategory. These messages generally originate from the audit subsystem but may describe vendor-specific or informational activity not directly related to audit state, integrity, or policy. Using this subcategory ensures that all audit component messages can be normalized and retained for visibility, even when their precise type is unknown or product-specific.
Required Fields
source
Optional Fields
user_name
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
229999 |
audit |
audit.default |
audit event |
A generic audit subsystem event that does not fit a defined subcategory or event type. This serves as a fallback classification to ensure consistent handling of all audit-related messages. |
