Previous Topic: The kblaudit.cfg—Filter Keyboard Logger Audit RecordsNext Topic: kblaudit.cfg —Trace Messages On User Events Filter Syntax


Kblaudit.cfg—Login Events Filter Syntax

Valid on UNIX

Audit records that belong to a login event have the following filter format:

LOGIN;UserName;UserId;TerminalName;LoginProgram;AuthorizationResult
Login

Specifies that the rule filters user trace records.

UserName

Defines the name of the accessor.

UserId

Defines the native user ID of the accessor.

TerminalName

Defines the remote host name at which the event occurred.

LoginProgram

Defines the name of the program that attempted to log in or out.

Limits: cmdlog

AuthorizationResult

Defines the filed authorization result.

Values:

P -Permitted

D - Denied

O - Logout

I - Inactivate (Disable user) by serevu

E - Enable user login by serevu

A - Password attempt detected

* - A wildcard that represents any value