Filters
Once the code points are identified and placed in the application server, all audit events corresponding to the code points will be logged in the audit trail file, irrespective of the outcome of these audit events. However, recording all audit events under all conditions may neither be practical nor necessary. Filters provide a means by which audit records are logged only when certain conditions are satisfied. The administrator defines filters using the DCE control program.
A filter is composed of filter guides that specify these conditions. Filter guides also specify what action to take if the condition (outcome) is met.
A filter answers the following questions:
· Who will be audited?
· What events will be audited?
· What should be the outcome of these events before an audit record is written?
· Will the audit record be logged in the audit trail file, or displayed on the system console, or both?
For example, for the bank server program, you can impose the following conditions before an audit record is written:
"Log audit records on all withdrawal transactions (the audit events) that fail because of access denial (outcome of the event) that are performed by all customers in the DCE cell (who to audit).''
More: