CA Privileged Identity Manager for Endpoint can be filtered unexpected audit record by audit filter, audit.cfg.
But TRACE event is not filter with strings in audit log.
Customer omit some log with audit.cfg.
But he cannot omit the login as following:
Execute argument:
ipconfig /ALL
audit.cfg:
TRACE;ARGS;*;*;*;*;*;EXECARGS:'ipconfig*
It seems to be correct behavior.
Match function works in such way that it tries to match string
EXECARGS: 'ipconfig'
with
1. *ipconfig* OK
2. 'ipconfig* NO MATCH
3. 'ipconfig* NO MATCH
4. EXECARGS*ipconfig* NO MATCH
5. *EXECARGS*ipconfig OK
The main point here is that we have parameter in the following format:
EXECARGS: '<command>'
and the filter syntax should be accordingly.
So, you set filter as following:
TRACE;ARGS;*;*;*;*;*;*EXECARGS*ipconfig*