Filter Guides
A filter contains one or more guides. A filter guide contains three elements: audit condition, audit action, and event class.
An audit condition specifies the required outcome (or outcomes) of the event before an audit record is written to the audit trail. These outcomes are not mutually exclusive. The audit conditions
are
· success - Records only if event succeeds.
· failure - Records only if event fails.
· denial - Records only if event failed because of access denial.
An audit action specifies where the audit record is written. The audit actions are
· alarm - Displays the audit record on system console
· log - Logs the audit record through an audit daemon or directly to an audit trail file.
The audit actions are not mutually exclusive; you can specify both.
The third element of the filter guide specifies the event class or event classes to which the filter will apply (for the specific filter subject identity).
|