POLICY_AUDIT_EVENTS_INFO structure (ntsecapi.h)
The POLICY_AUDIT_EVENTS_INFO structure is used to set and query the system's auditing rules. The LsaQueryInformationPolicy and LsaSetInformationPolicy functions use this structure when their InformationClass parameters are set to PolicyAuditEventsInformation.
Syntax
typedef struct _POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
ULONG MaximumAuditEventCount;
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
Members
AuditingMode
Indicates whether auditing is enabled.
If this flag is TRUE, the system generates audit records according to the event auditing options specified in the EventAuditingOptions member.
If this flag is FALSE, the system does not generate audit records. However, note that set operations update the event auditing options as specified in the EventAuditingOptions member even when AuditingMode is FALSE.
EventAuditingOptions
Pointer to an array of POLICY_AUDIT_EVENT_OPTIONS variables. Each element in this array specifies the auditing options for an audit event type. The index of each array element corresponds to an audit event type value in the POLICY_AUDIT_EVENT_TYPE enumeration type.
Each POLICY_AUDIT_EVENT_OPTIONS variable in the array can specify the following auditing options. You can also combine the success and failure options, POLICY_AUDIT_EVENT_SUCCESS and POLICY_AUDIT_EVENT_FAILURE.
When LSASetInformationPolicy is called to change the audit policy, any new POLICY_AUDIT_EVENT_OPTIONS array elements are added to any existing audit options. Adding a new POLICY_AUDIT_EVENT_OPTIONS element combined with the POLICY_AUDIT_EVENT_NONE audit option cancels all previous audit options and begins a new set of options.
MaximumAuditEventCount
Specifies the number of elements in the EventAuditingOptions array. For set operations, if this value is less than the number of audit event types supported by the system, the system does not change the auditing options for event types with indexes equal to or higher than the value specified in MaximumAuditEventCount.
Remarks
LSA Policy defines a mask for the valid event auditing options. The POLICY_AUDIT_EVENT_MASK mask evaluates to TRUE if it is set equal to any of the preceding event auditing options.
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Header | ntsecapi.h |