audit.cfg File Login and Logout Events Filter Syntax
Audit records that belong to a login or logout event have the following filter format:
capamsc141
Audit records that belong to a login or logout event have the following filter format:
LOGIN;UserName;UserId;TerminalName;LoginProgram;AuthorizationResultOrLoginType
- LOGINSpecifies that the rule filters audit records generated by login and logout events.
- UserNameDefines the name of the accessor.
- UserId(UNIX) Defines the native user ID of the accessor.
- TerminalNameDefines the terminal at which the event occurred.
- LoginProgramDefines the name of the program that attempted to log in or out.
- AuthorizationResultorLoginTypeDefines the authorization result.Values:
- *A wildcard that represents any type of authorization result.
- DThe login attempt was denied.
- PThe login attempt was permitted.
- O(UNIX) The accessor logged out.
- I(UNIX) The serevu daemon revoked the accessor's account.
- E(UNIX) The serevu daemon enabled the accessor's account.
- A(UNIX) The serevu daemon or Pluggable Authentication Module audited a user's attempt to log in with an incorrect password.
Windows does not record logout events.
Examples: Filter Login or Logout Events
- This example filters all audit records generated when root logs in to a permitted account:LOGIN;root;*;*;*;P
- This example filters all audit records generated when root logs in successfully due to the system's CRON program:LOGIN;root;*;*;SBIN_CRON;P
- This example filters all audit records generated when the _CRONJOB_ process logs the root user out:LOGIN;root;*;_CRONJOB_;*;O