AuditEvents are generated as a result of an action taken on the Server by a Client of the Server. For example, in response to a Client issuing a write to a Variable, the Server would generate an AuditEvent describing the Variable as the source and the user and Client Session as the initiators of the Event. Not all Servers support auditing, but if a Server supports auditing then it shall support audit Events as described in 5.6. Profiles (see OPC 10000-7) can be used to determine if a Server supports auditing. Servers shall generate Events of the AuditHistoryUpdateEventType or a sub-type of this type for all invocations of the HistoryUpdate Service on any HistoricalNode. See OPC 10000-3 and OPC 10000-5 for details on the AuditHistoryUpdateEventType model. In the case where the HistoryUpdate Service is invoked to insert Historical Events, the AuditHistoryEventUpdateEventType Event shall include the EventId of the inserted Event and a description that indicates that the Event was inserted. In the case where the HistoryUpdate Service is invoked to delete records, the AuditHistoryDeleteEventType or one of its sub-types shall be generated. See 6.7 for details on updating historical data or Events.

In particular using the Delete raw or Delete modified functionality shall generate an AuditHistoryRawModifyDeleteEventType Event or a sub-type of it. Using the Delete at time functionality shall generate an AuditHistoryAtTimeDeleteEventType Event or a sub-type of it. Using the Delete Event functionality shall generate an AuditHistoryEventDeleteEventType Event or a sub-type of it. All other updates shall follow the guidelines provided in the AuditHistoryUpdateEventType model.