TRACE log cannot filter with audit.cfg

book

Article ID: 15521

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

CA Privileged Identity Manager for Endpoint can be filtered unexpected audit record by audit filter, audit.cfg.

But TRACE event is not filter with strings in audit log. 



Customer omit some log with audit.cfg. 

But he cannot omit the login as following: 

 

Execute argument: 

ipconfig /ALL

 

audit.cfg: 

TRACE;ARGS;*;*;*;*;*;EXECARGS:'ipconfig* 

Environment

OS: Windows Product: CA Privileged Identity Manager all for Endpoint

Resolution

It seems to be correct behavior. 

Match function works in such way that it tries to match string 

 

EXECARGS: 'ipconfig' 

 

with 

 

1. *ipconfig* OK 

2. 'ipconfig* NO MATCH 

3. 'ipconfig* NO MATCH 

4. EXECARGS*ipconfig*  NO MATCH 

5. *EXECARGS*ipconfig OK 

 

The main point here is that we have parameter in the following format: 

EXECARGS: '<command>' 

 

and the filter syntax should be accordingly.

So, you set filter as following:

TRACE;ARGS;*;*;*;*;*;*EXECARGS*ipconfig*