audit.cfg File Network Connection Events Filter Syntax
Audit records that belong to a network connection event have the following filter format:
capamsc141
Audit records that belong to a network connection event have the following filter format:
{HOST|TCP};ObjectName;HostName;ProgramPath;Access;AuthorizationResult
- HOSTSpecifies that the rule filters records generated by objects in HOST class, that is, incoming TCP connections.
- TCPSpecifies that the rule filters records generated by objects in TCP class, that is, connect with service events.
- ObjectNameDefines the name of the object that was accessed.ObjectNamecan be a service name or port number.
- HostNameDefines the name of the host.HostNamemust be an object in the HOST class.
- ProgramPathDefines the login program type.(Windows) For outgoing connections, this parameter defines the program path of the process trying to establish the connection.This parameter has no meaning for incoming connection events. Use * for this parameter to filter audit records generated by incoming connection events.
- AccessDefines the type of attempted connection.Values:
- (HOST) *
- (TCP) R (incoming connection), W (outgoing connection), *
- AuthorizationResultDefines the authorization result.Values:P (permitted), D (denied), *
Examples: Filter Network Connection Events
- This example filters all audit records from the host ca.com generated by successful incoming telnet connections:HOST;telnet;ca.com;*;*;P
- This example filters all audit records from the host ca.com generated by incoming and outgoing login TCP connections that were denied:TCP;login;ca.com;*;*;D
- This example filters all audit records from the host ca.com generated by outgoing telnet connections:TCP;telnet;ca.com;*;W;*