Previous Topic: DiscoveryAgentNext Topic: Kblaudit.cfg—Login Events Filter Syntax


The kblaudit.cfg—Filter Keyboard Logger Audit Records

Valid on UNIX

The kblaudit.cfg file filters audit records on a host by defining records that sent to the audit file. Each line represents a rule for filtering out audit information. The filter rules you configure apply to the kbl.audit file.

By default, the kblaudit.cfg file is located in the following directory:

/opt/CA/AccessControl/etc

The kblaudit.cfg file contains two sections, [EXCLUDE] and [INCLUDE] to help you filter keyboard logger audit records. Each section contains entries that represent a filter rule.

Example: The kblaudit.cfg filter sections

The following snippet of the kblaudit.cfg file is an examples of how you edit the kblaudit.cfg [EXCLUDE] and [INCLUDE] sections:

[EXCLUDE]
TRACE;*;*;test_user; test_user; test_user;*;*seos.ini*
[INCLUDE]
TRACE;*;*; test_user; test_user; test_user;*;*AccessControl*

In this example, you excluded from the kbl.audit file audit records from seos.ini that the user test_user performed and to include records that the user test_user performed in Access Control.

Use the kblaudit.cfg file to filter out records in the following audit event types, each type by a different syntax:

Note: A * in any column in each type of syntax stands for "any value".