TRACE log cannot filter with audit.cfg

Document ID : KB000015521
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA Privileged Identity Manager for Endpoint can be filtered unexpected audit record by audit filter, audit.cfg.

But TRACE event is not filter with strings in audit log. 

Question:

Customer omit some log with audit.cfg. 

But he cannot omit the login as following: 

 

Execute argument: 

ipconfig /ALL

 

audit.cfg: 

TRACE;ARGS;*;*;*;*;*;EXECARGS:'ipconfig* 

Environment:
OS: Windows Product: CA Privileged Identity Manager all for Endpoint
Answer:

It seems to be correct behavior. 

Match function works in such way that it tries to match string 

 

EXECARGS: 'ipconfig' 

 

with 

 

1. *ipconfig* OK 

2. 'ipconfig* NO MATCH 

3. 'ipconfig* NO MATCH 

4. EXECARGS*ipconfig*  NO MATCH 

5. *EXECARGS*ipconfig OK 

 

The main point here is that we have parameter in the following format: 

EXECARGS: '<command>' 

 

and the filter syntax should be accordingly.

So, you set filter as following:

TRACE;ARGS;*;*;*;*;*;*EXECARGS*ipconfig*