audit.cfg File Network Connection Events Filter Syntax

Audit records that belong to a network connection event have the following filter format:
capamsc141
Audit records that belong to a network connection event have the following filter format:
{HOST|TCP};ObjectName;HostName;ProgramPath;Access;AuthorizationResult
  • HOST
    Specifies that the rule filters records generated by objects in HOST class, that is, incoming TCP connections.
  • TCP
    Specifies that the rule filters records generated by objects in TCP class, that is, connect with service events.
  • ObjectName
    Defines the name of the object that was accessed.
    ObjectName
    can be a service name or port number.
  • HostName
    Defines the name of the host.
    HostName
    must be an object in the HOST class.
  • ProgramPath
    Defines the login program type.
    (Windows) For outgoing connections, this parameter defines the program path of the process trying to establish the connection.
    This parameter has no meaning for incoming connection events. Use * for this parameter to filter audit records generated by incoming connection events.
  • Access
    Defines the type of attempted connection.
    Values:
    • (HOST) *
    • (TCP) R (incoming connection), W (outgoing connection), *
  • AuthorizationResult
    Defines the authorization result.
    Values:
    P (permitted), D (denied), *
Examples: Filter Network Connection Events
  • This example filters all audit records from the host ca.com generated by successful incoming telnet connections:
    HOST;telnet;ca.com;*;*;P
  • This example filters all audit records from the host ca.com generated by incoming and outgoing login TCP connections that were denied:
    TCP;login;ca.com;*;*;D
  • This example filters all audit records from the host ca.com generated by outgoing telnet connections:
    TCP;telnet;ca.com;*;W;*