How to Change What CA Access Control Writes to the Audit Log

Endpoint Administration Guide for Windows › Monitoring and Auditing › What CA Access Control Audits › How to Change What CA Access Control Writes to the Audit Log

How to Change What CA Access Control Writes to the Audit Log

You can change what CA Access Control writes to the audit log in two ways:

Use the AUDIT property of the resources or accessors to define the audit events that CA Access Control writes to the audit log.
Note: You can use the AUDIT property for a GROUP or XGROUP to set the audit property for all members of the group. However, you cannot use the AUDIT property to set the audit mode for group members if a user's audit mode is defined in a USER record, XUSER record, or profile group.
Use the audit configuration file audit.cfg to filter the events CA Access Control sends to the audit log. You cannot use the audit.cfg file to add events to the audit log.

To reduce the number of audit records, you can also control consecutive audit events written to the log file. This customization is based on time interval between consecutive matching audit events (that is, an access to a resource with the same process ID, thread ID, rule ID, user ID, and access mask). The time interval, in seconds, can be set by setting the value of the AuditRefreshPeriod registry entry. By default, the AuditRefreshPeriod is set to zero (0), which means that all events are written to the log file.

More information:

Defining the Audit Events That CA Access Control Writes to the Audit Log