Reference Guide › Configuration Files › audit.cfg File—Filter Audit Records › audit.cfg File—Network Connection Events Filter Syntax

audit.cfg File—Network Connection Events Filter Syntax

Audit records that belong to a network connection event have the following filter format:

{HOST|TCP};ObjectName;HostName;ProgramPath;Access;AuthorizationResult

HOST

Specifies that the rule filters records generated by objects in HOST class, that is, incoming TCP connections.

TCP

Specifies that the rule filters records generated by objects in TCP class, that is, connect with service events.

ObjectName

Defines the name of the object that was accessed. ObjectName can be a service name or port number.

HostName

Defines the name of the host. HostName must be an object in the HOST class.

ProgramPath

Defines the login program type.

(Windows) For outgoing connections, this parameter defines the program path of the process trying to establish the connection.

Note: This parameter has no meaning for incoming connection events. Use * for this parameter to filter audit records generated by incoming connection events.

Access

Defines the type of attempted connection.

Values:

• (HOST) *
• (TCP) R (incoming connection), W (outgoing connection), *

AuthorizationResult

Defines the authorization result.

Values: P (permitted), D (denied), *

Examples: Filter Network Connection Events

• This example filters all audit records from the host ca.com generated by successful incoming telnet connections:

  HOST;telnet;ca.com;*;*;P
  

• This example filters all audit records from the host ca.com generated by incoming and outgoing login TCP connections that were denied:

  TCP;login;ca.com;*;*;D
  

• This example filters all audit records from the host ca.com generated by outgoing telnet connections:

  TCP;telnet;ca.com;*;W;*