TRACE log cannot filter with audit.cfg

Article Id: 15521

Status: Published

Updated On: 14-02-2018 07:50

Legacy Id: TEC1856892

Products:

CA Virtual Privilege Manager , CA Privileged Identity Management Endpoint (PIM) , CA Privileged Access Manager (PAM)

Issue/Introduction:

CA Privileged Identity Manager for Endpoint can be filtered unexpected audit record by audit filter, audit.cfg.

But TRACE event is not filter with strings in audit log.

Customer omit some log with audit.cfg.

But he cannot omit the login as following:

Execute argument:

ipconfig /ALL

audit.cfg:

TRACE;ARGS;*;*;*;*;*;EXECARGS:'ipconfig*

Environment:

OS: Windows Product: CA Privileged Identity Manager all for Endpoint

Resolution:

It seems to be correct behavior.

Match function works in such way that it tries to match string

EXECARGS: 'ipconfig'

with

1. *ipconfig* OK

2. 'ipconfig* NO MATCH

3. 'ipconfig* NO MATCH

4. EXECARGS*ipconfig* NO MATCH

5. *EXECARGS*ipconfig OK

The main point here is that we have parameter in the following format:

EXECARGS: '<command>'

and the filter syntax should be accordingly.

So, you set filter as following:

TRACE;ARGS;*;*;*;*;*;*EXECARGS*ipconfig*