Inbound Network Connection Event

Inbound network connection events indicate incoming traffic to the protected host. Inbound network events are audited in two forms (according to the class activation in the local database). Both audit event types contain identical information but in different view. For example, one audit event contains HOST as the class name while the other event displays TCP as the class name.
capamsc141
Inbound network connection events indicate incoming traffic to the protected host. Inbound network events are audited in two forms (according to the class activation in the local database). Both audit event types contain identical information but in different view. For example, one audit event contains HOST as the class name while the other event displays TCP as the class name.
Audit records in this event have the following format:
Date Time Status Event Service Details Reason Host Program
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
    Privileged Access Manager
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    Privileged Access Manager
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates the return code for the event.
    Values:
    Can be one of:
    • D (Denied)Denied the event because of insufficient authorization.
    • P (Permitted)Permitted the event.
    • W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
  • Event Type
    Identifies the type of event this record belongs to.
     
    Privileged Access Manager
    Endpoint Management refers to this field simply as
    Event
    .
  • Service
    Identifies the name of the service that the connection used.
  • Details
    Indicates at which stage 
    Privileged Access Manager
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    Privileged Access Manager
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    Privileged Access Manager
    wrote an audit record.
    This field does not display in a detailed seaudit output or in 
    Privileged Access Manager
    Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Host name
    Identifies the name of the host the network traffic originated from.
  • Program
    (UNIX only) Identifies the name of the program the accessor is attempting to run.
Example: Inbound Network Connection Event Message
The following audit record was taken from a detailed seaudit output.
17 Nov 2008 12:22:04 D HOST telnet 173 3 computer.org.com /usr/sbin/inetd Event type: Inbound network connection Status: Denied Host name: computer.org.com Service: telnet Program: /usr/sbin/inetd/ Date: 17 Nov 2008 Time: 12:22 Details: HOST entry day & time restrictions Audit flags: AC database user
This audit record indicates that on November 17th 2008, an accessor attempting to access the host computer.org.com using the telnet service to run the inetd program was denied due to day and time restrictions imposed on the protected host (authorization stage code 173HOST entry day & time restrictions). 
Privileged Access Manager
logged this event because the resource's audit mode specifies that this event should be logged (reason code 3Resource audit mode required logging).