audit.cfg File Trace Messages On a User Events Filter Syntax
Audit records that belong to a trace message on a user event have the following filter format:
capamsc141
Audit records that belong to a trace message on a user event have the following filter format:
TRACE;TracedClassName;TracedObjectName;RealUserName;EffectiveUserName;ACUserName;AuthorizationResult;TraceMessage
The maximum limit for the trace filter is 1000 records.
- TRACESpecifies that the rule filters user trace records.
- TracedClassNameDefines the name of the object class the user tried to access.Enter the name of the class in uppercase.
- TracedObjectNameDefines the name of the object that the user tried to access.
- RealUserName(UNIX) Defines the name of the real user that generated the trace record.(Windows) Defines the name of the native user that generated the trace record.
- EffectiveUserName(UNIX) Defines the name of the effective user that generated the trace record.(Windows) Defines the name of the native user that generated the trace record. This parameter is identical to the RealUserName parameter. Use * for this parameter.
- ACUserNameDefines the user namePAM Server Controlchose to authorize the event.
- AuthorizationResultDefines the authorization result.Values: P (permitted), D (denied), *
- TraceMessageDefines the trace message that was generated.
Example: Filter Trace On a User Message Events
This example filters all user trace records generated when the effective user is root, and root accessed an object in the FILE class:
TRACE;FILE;*;*;root;*;*;*