2.2.4.3 POLICY_AUDIT_LOG_INFO

The POLICY_AUDIT_LOG_INFO structure contains information about the state of the audit log. The following structure corresponds to the PolicyAuditLogInformation information class.

 typedef struct _POLICY_AUDIT_LOG_INFO {
   unsigned long AuditLogPercentFull;
   unsigned long MaximumLogSize;
   LARGE_INTEGER AuditRetentionPeriod;
   unsigned char AuditLogFullShutdownInProgress;
   LARGE_INTEGER TimeToShutdown;
   unsigned long NextAuditRecordId;
 } POLICY_AUDIT_LOG_INFO,
  *PPOLICY_AUDIT_LOG_INFO;

AuditLogPercentFull: A measure of how full the audit log is, as a percentage.

MaximumLogSize: The maximum size of the auditing log, in kilobytes (KB).

AuditRetentionPeriod: The auditing log retention period (64-bit signed integer), a 64-bit value that represents the number of 100-nanosecond intervals since January 1, 1601, UTC. An audit record can be discarded if its time stamp predates the current time minus the retention period.

AuditLogFullShutdownInProgress: A Boolean flag; indicates whether or not a system shutdown is being initiated due to the security audit log becoming full. This condition occurs only if the system is configured to shut down when the log becomes full.

After a shutdown has been initiated, this flag MUST be set to TRUE (nonzero). If an administrator can correct the situation before the shutdown becomes irreversible, this flag MUST be reset to FALSE (0).

This field MUST be ignored for set operations.

TimeToShutdown: A 64-bit value that represents the number of 100-nanosecond intervals since January 1, 1601, UTC. If the AuditLogFullShutdownInProgress flag is set, this field MUST contain the time left before the shutdown becomes irreversible.

NextAuditRecordId: Not in use. This field SHOULD be set to zero when sent, and MUST be ignored on receipt.