Reference Guide › Configuration Files › audit.cfg File—Filter Audit Records › audit.cfg File—Login and Logout Events Filter Syntax

audit.cfg File—Login and Logout Events Filter Syntax

Audit records that belong to a login or logout event have the following filter format:

LOGIN;UserName;UserId;TerminalName;LoginProgram;AuthorizationResultOrLoginType

LOGIN

Specifies that the rule filters audit records generated by login and logout events.

UserName

Defines the name of the accessor.

UserId

(UNIX) Defines the native user ID of the accessor.

TerminalName

Defines the terminal at which the event occurred.

LoginProgram

Defines the name of the program that attempted to log in or out.

AuthorizationResultorLoginType

Defines the authorization result.

Values:

*

A wildcard that represents any type of authorization result.

D

The login attempt was denied.

P

The login attempt was permitted.

O

(UNIX) The accessor logged out.

I

(UNIX) The serevu daemon revoked the accessor's account.

E

(UNIX) The serevu daemon enabled the accessor's account.

A

(UNIX) The serevu daemon or Pluggable Authentication Module audited a user's attempt to log in with an incorrect password.

Note: Windows does not record logout events.

Examples: Filter Login or Logout Events

• This example filters all audit records generated when root logs in to a permitted account:

  LOGIN;root;*;*;*;P
  

• This example filters all audit records generated when root logs in successfully due to the system's CRON program:

  LOGIN;root;*;*;SBIN_CRON;P
  

• This example filters all audit records generated when the _CRONJOB_ process logs the root user out:

  LOGIN;root;*;_CRONJOB_;*;O