In UNIX defining a HOST class record with * allows to see records for all hosts. The same is required for Windows.
In windows, the following example, meant to audit all hosts, does not work
so class+(host) nr host * audit(all) auth host * service(*) access(all)
seaudit -a | findstr HOST produces no entry for the host class
However defining a specific terminal with the host class
nr host machine.domain.com audit(all) auth host machine.domain.com service(*) access(all) seaudit -a | findstr HOST
produces some output for the host defined previously:
11 Jan 2019 13:58:08 P HOST ms-wbt-server 153 3 machine.domains
In Linux/UNIX both examples work
Is it possible to use in windows the same host record definition as in unix (namely specifying a * entry) to see all audit records for all hosts ?
PIM 14 Windows all supported versions
No you cannot use the same command in unix and in windows.
In UNIX, * will work for the HOST class, but not in windows.
On Windows endpoint '*' char is used when creating GENERIC system resources (FILE, REGKEY, REGVAL). The rule creates protection in folder/registry and it's sub folders/registry values.
There is no logic in Windows endpoint to handle the use case when you create/update a rule using the '*' char in the RESOURCE name. It is interpreted as intending to change the existing rules on this class and hence it does not work as intended.
This is not a bug, but an implementation limitation of the Windows Endpoint.