Previous Topic: System Slows When CA ControlMinder Writes to Audit LogNext Topic: Tuning Performance


Filter Not Applied if Host is Assigned Multiple IP Addresses

Symptom

I configured the audit.cfg to filter TCP events on a host that is assigned multiple IP addresses using the host name. After I applied the filter, I cannot see the TCP logs for all the IP addresses.

Solution

When you apply the audit.cfg filter, the audit system resolves the host name to the IP address of the host and the host IP address to the host name. If you configure the host with more than one IP address, the audit.cfg filters the first IP address only.

To apply the audit.cfg filter to all IP addresses, specify all the IP addresses in the filter only and not the host name, for example:

TCP;*;192.168.30.138;*;R;P
TCP;*;192.168.30.139;*R;P