Audit records that belong to a network connection event have the following filter format:
{HOST|TCP};ObjectName;HostName;ProgramPath;Access;AuthorizationResult
Specifies that the rule filters records generated by objects in HOST class, that is, incoming TCP connections.
Specifies that the rule filters records generated by objects in TCP class, that is, connect with service events.
Defines the name of the object that was accessed. ObjectName can be a service name or port number.
Defines the name of the host. HostName must be an object in the HOST class.
Defines the login program type.
(Windows) For outgoing connections, this parameter defines the program path of the process trying to establish the connection.
Note: This parameter has no meaning for incoming connection events. Use * for this parameter to filter audit records generated by incoming connection events.
Defines the type of attempted connection.
Values:
Defines the authorization result.
Values: P (permitted), D (denied), *
Examples: Filter Network Connection Events
HOST;telnet;ca.com;*;*;P
TCP;login;ca.com;*;*;D
TCP;telnet;ca.com;*;W;*
Copyright © 2013 CA Technologies.
All rights reserved.
|
|