audit.cfg File Trace Messages On a User Events Filter Syntax

Audit records that belong to a trace message on a user event have the following filter format:
capamsc141
Audit records that belong to a trace message on a user event have the following filter format:
TRACE;TracedClassName;TracedObjectName;RealUserName;EffectiveUserName;ACUserName;AuthorizationResult;TraceMessage
The maximum limit for the trace filter is 1000 records.
  • TRACE
    Specifies that the rule filters user trace records.
  • TracedClassName
    Defines the name of the object class the user tried to access.
    Enter the name of the class in uppercase.
  • TracedObjectName
    Defines the name of the object that the user tried to access.
  • RealUserName
    (UNIX) Defines the name of the real user that generated the trace record.
    (Windows) Defines the name of the native user that generated the trace record.
  • EffectiveUserName
    (UNIX) Defines the name of the effective user that generated the trace record.
    (Windows) Defines the name of the native user that generated the trace record. This parameter is identical to the RealUserName parameter. Use * for this parameter.
  • ACUserName
    Defines the user name 
    PAM Server Control
    chose to authorize the event.
  • AuthorizationResult
    Defines the authorization result.Values: P (permitted), D (denied), *
  • TraceMessage
    Defines the trace message that was generated.
Example: Filter Trace On a User Message Events
This example filters all user trace records generated when the effective user is root, and root accessed an object in the FILE class:
TRACE;FILE;*;*;root;*;*;*