Audit entry data structures consist of a fixed-length header followed by 0 or more variable-length audit entry data structures.

In addition to the information contained within it, a data structure can specify that an additional variable-length ASCIIZ string is to be included. To do this, an unsigned short offset is used, where the address of the additional ASCIIZ string is equal to the address of the variable-length structure plus the offset.

For example, assume that ap points to a buffer containing a complete audit entry and that ae_type contains the value AE_CONNSTOP, specifying the predefined ae_connstop data structure. To make the variable computer_name point to the ASCIIZ string containing the name of the client whose connection was stopped, an application would perform the following algorithm:

struct audit_entry * ap;           /* fixed portion of audit entry */
struct ae_connstop * acp;          /* variable-length structure */
unsigned char * computer_name;     /* pointer to variable-length string */
                     /* calculate offset to variable-length struct */
 
acp = (struct ae_connstop *) ((unsigned char *) ap + ap-> ae_data_offset);
 
                              /* calculate offset to computer name */
 
computer_name = (unsigned char *) acp + acp -> ae_cp_compname;

Some of the structures point to more than one data item. To ensure that an item is used, the programmer must test for a null pointer and for a null string. For example, many audit data structures have a user name and a computer name. If the user name is not significant, then the computer name must be used instead. To determine if the user name is significant, check whether ae_so_username is 0 (null pointer) or whether it points to a 0 (null string).