Auditing

Auditing is the layer of the access check that records what happened, separate from deciding what gets allowed. Audit ACEs in an object's SACL fire events when matching access occurs. Token audit policy fires events independent of the SACL. All events travel through KMES to userspace consumers. This page covers the model and where each kind of audit fits.

Audit ACEs in an object's SACL fire events when matching access occurs. SYSTEM_AUDIT ACEs fire once per access, at handle creation. SYSTEM_ALARM ACEs configure per-operation audit on the open handle. This page covers both types, the conditional variants, the audit polarity rule for SID matching, and the UNKNOWN-fires-the-event rule.

Some audit events fire independent of any SACL ACE. Privilege-use events fire when a privilege contributes to the granted mask. The token's audit_policy bitmask forces success or failure events on object access regardless of SACL. This page covers both mechanisms, when they fire, and how they interact with SACL-driven audit.

Audit events are msgpack maps with UTF-8 keys, emitted by the kernel through KMES to userspace consumers. This page covers the event schemas — access-audit, continuous-audit, privilege-use, logon-session-destroyed — and how the transport pipeline works.