+

Search Tips   |   Advanced Search

AuditFilterCommands


Use Jython to configure the security auditing system with wsadmin. Use the commands and parameters in the AuditFilterCommands group to configure and manage auditable events.

Use the following commands to configure filters for auditable events in the security auditing configuration:

 

convertFilterRefToString

The convertFilterRefToString command converts a reference ID of a filter to a shortened string value such as AUTHN:SUCCESS.

Target object

None.

Required parameters

-filterRef

Specifies a reference ID for a specific audit filter in the audit.xml file. The system defines 4 default audit filters by default. Use the createAuditFilter command to create additional audit filters in the audit.xml configuration file. (String, required)

Return value The command returns the string value of an event type in a shortened format, as the following sample output displays: 

AUTHN:SUCCESS,AUTHN:INFO,AUTHZ:SUCCESS,AUTHZ:INFO

Batch mode example usage

Interactive mode example usage

 

convertFilterStringToRef

The convertFilterStringToRef command converts the shortened name of an event type, such as AUTHN:SUCCESS, to the reference ID of the audit filter in the audit.xml configuration file.

The command accepts one event and outcome pair. The command does not accept multiple event and outcome pairs, such as AUTHN:SUCCESS AUTHZ:SUCCESS.

Target object

None.

Required parameters

-filter

Shortened form of a reference ID for an audit filter, such as AUTHN:SUCCESS. The event type must exist in the security auditing system configuration. (String, required)

Return value The command returns the reference ID for the event type of interest, as the following example displays: 

AuditSpecification_1173199825608

Batch mode example usage

Interactive mode example usage

 

createAuditFilter

The createAuditFilter command creates and enables a new audit event filter spec entry in the audit.xml configuration file.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-name

Specifies a unique name to associate with the audit event filter. (String, required)

-eventType

List of one or more auditable events. To specify a list, separate each outcome with a comma (,) character. (String, required)Configure the following auditable events in the security auditing system:


Table 1. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

The following security audit event types are not used in this release of WAS but will be considered for use in a future release:

  • SECURITY_MGMT_KEY

  • SECURITY_RUNTIME_KEY

  • SECURITY_MGMT_PROVISIONING

  • SECURITY_MGMT_REGISTRY

  • SECURITY_RUNTIME

-outcome

List of one or multiple event outcomes. For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. (String, required)

Return value If the system is successful, the command returns the reference ID for the new audit event filter, as the following sample output displays: 

AuditSpecification_1184689433421

Batch mode example usage

Interactive mode example usage

 

deleteAuditFilter

The deleteAuditFilter command deletes the audit event filter specification from the audit.xml file that the system references by an event type and outcome.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-eventType

Auditable event to delete. (String, required)

The following table displays all valid event types:


Table 2. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

-outcome

Event outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. (String, required)

Return value

The command returns a value of true if the system successfully deletes the audit filter from the configuration.

Batch mode example usage

Interactive mode example usage

 

deleteAuditFilterByRef

The deleteAuditFilterByRef command deletes the audit filter that the system references by the referenced id.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-filterRef

Reference ID for an audit filter in the security auditing system configuration. (String, required)

Return value

The command returns a value of true if the system successfully deletes the audit filter spec from the audit.xml file.

Batch mode example usage

Interactive mode example usage

 

disableAuditFilter

The disableAuditFilter command disables the audit filter specification that corresponds to a specific reference id.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-filterRef

Specifies a reference ID for a specific audit filter in the audit.xml file. The system defines 4 default audit filters by default. Use the createAuditFilter command to create additional audit filters in the audit.xml configuration file. (String, required)

Return value

The command returns a value of true if the system successfully disables the audit filter.

Batch mode example usage

Interactive mode example usage

 

enableAuditFilter

The enableAuditFilter command enables the audit filter spec that corresponds to a specific reference id. Use this command to enable a filter that was previously configured and disabled in the security auditing system configuration. To create a new audit filter specification, use the creatAuditFilter command.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-filterRef

Specifies a reference ID for a specific audit filter in the audit.xml file. The system defines 4 default audit filters by default. Use the createAuditFilter command to create additional audit filters in the audit.xml configuration file. (String, required)

Return value

The command returns a value of true if the system successfully enables the audit filter.

Batch mode example usage

Interactive mode example usage

 

getAuditFilter

The getAuditFilter command retrieves the attributes that the system associates with the audit filter spec of interest.

The user must have the monitor admin role to run this command.

Target object

None.

Required parameters

-reference

Reference ID for an audit filter in the security auditing system configuration. (String, required)

Return value The command returns a list of attributes for the audit filter specification of interest, as the following sample output displays: 

{{enabled true}
{name DefaultAuditSpecification_1}
{event SECURITY_AUTHN SECURITY_AUTHN_MAPPING}
{outcome FAILURE}
{_Websphere_Config_Data_Id cells/Node04Cell|audit.xml#AuditSpecification_1173199825608}
{_Websphere_Config_Data_Type AuditSpecification}}

Batch mode example usage

Interactive mode example usage

 

getAuditOutcomes

The getAuditOutcomes command retrieves a list of the enabled outcomes for the auditable event type of interest.

The user must have the monitor admin role to run this command.

Target object

None.

Required parameters

-eventType

List of one or more auditable events. To specify a list, separate each outcome with a comma (,) character. (String, required)We can retrieve the event outcome for any of the following auditable events that might be configured in the security auditing system:


Table 3. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

Return value The command returns one or multiple outcomes for the event type of interest, as the following sample output displays: 

SUCCESS

Batch mode example usage

Interactive mode example usage

 

getSupportedAuditEvents

The getSupportedAuditEvents command returns a list of each supported auditable event.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns the following list of possible event outcomes: 

SECURITY_AUTHN SECURITY_AUTHN_CREDS_MODIFY SECURITY_AUTHN_DELEGATION SECURITY_AUTHN_MAPPING  SECURITY_AUTHN_TERMINATE SECURITY_AUTHZ  SECURITY_ENCRYPTION SECURITY_MGMT_AUDIT  SECURITY_MGMT_CONFIG SECURITY_MGMT_KEY  SECURITY_MGMT_POLICY SECURITY_MGMT_PROVISIONING  SECURITY_MGMT_REGISTRY SECURITY_MGMT_RESOURCE  SECURITY_RESOURCE_ACCESS SECURITY_RUNTIME  SECURITY_RUNTIME_KEY SECURITY_SIGNING

Batch mode example usage

Interactive mode example usage

 

getSupportedAuditOutcomes

The getSupportedAuditOutcomes command retrieves a list of each supported outcome for the auditable event filters.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns the following list of possible event outcomes: 

SUCCESS  INFO  WARNING  ERROR  DENIED  REDIRECT  FAILURE

Batch mode example usage

Interactive mode example usage

 

isAuditFilterEnabled

The isAuditFilterEnabled command determines if the audit filter of interest is enabled in the audit.xml configuration file.

The user must have the monitor admin role to run this command.

Target object

None.

Required parameters

-eventType

List of one or more auditable events. To specify a list, separate each outcome with a comma (,) character. (String, required)

The following auditable events might be configured in your security auditing system:


Table 4. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

-outcome

Event outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. (String, required)

Return value

The command returns a value of true if the event type of interest is enabled in the configuration.

Batch mode example usage

Interactive mode example usage

 

isEventEnabled

The isEventEnabled command determines if the system enabled at least one audit outcome for the event of interest.

The user must have the monitor admin role to run this command.

Target object

None.

Required parameters

-eventType

List of one or more auditable events. To specify a list, separate each outcome with a comma (,) character. (String, required)

The following auditable events are available to configure in the security auditing system:


Table 5. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

Return value

The command returns a value of true if the audit filter of interest has at least one outcome configured in the audit.xml file.

Batch mode example usage

Interactive mode example usage

 

listAuditFilters

The listAuditFilters command lists each audit filter and the corresponding attributes that the system defines in the audit.xml file.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns a list of audit filters and the corresponding attributes, as the following example displays: 

{{enabled true}
{name DefaultAuditSpecification_1}
{event SECURITY_AUTHN SECURITY_AUTHN_MAPPING}
{outcome FAILURE}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825608}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1173199825608}}
{{enabled true}
{name DefaultAuditSpecification_2}
{event {}}
{outcome FAILURE}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825609}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1173199825609}}
{{enabled true}
{name DefaultAuditSpecification_3}
{event SECURITY_RESOURCE_ACCESS}
{outcome FAILURE}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825610}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1173199825610}}
{{enabled true}
{name DefaultAuditSpecification_4}
{event SECURITY_AUTHN_TERMINATE}
{outcome FAILURE}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1173199825611}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1173199825611}}
{{enabled true}
{name myfilter}
{event SECURITY_AUTHZ}
{outcome REDIRECT}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184365235250}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1184365235250}}
{{enabled true}
{name myfilter1}
{event SECURITY_AUTHZ SECURITY_RESOURCE_ACCESS}
{outcome REDIRECT INFO}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184365353218}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1184365353218}}
{{enabled true}
{name myfilter}
{event SECURITY_AUTHN SECURITY_AUTHZ}
{outcome SUCCESS INFO}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184598886859}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1184598886859}}
{{enabled false}
{name myfilter}
{event SECURITY_MGMT_PROVISIONING SECURITY_MGMT_POLICY}
{outcome SUCCESS}
{_Websphere_Config_Data_Id cells/CHEYENNENode04Cell|audit.xml#AuditSpecification_1184689433421}
{_Websphere_Config_Data_Type AuditSpecification}
{filterRef AuditSpecification_1184689433421}}

Batch mode example usage

Interactive mode example usage

 

listAuditFiltersByEvent

The listAuditFiltersByEvent command retrieves a list of events and event outcomes for each audit filter configured in the audit.xml file.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns a list of events and event outcomes for the audit filters of interest, as the following sample output displays: 

{AuditSpecification_1173199825608 SECURITY_AUTHN:FAILURE}{AuditSpecification_117
3199825608 SECURITY_AUTHN_MAPPING:FAILURE}{AuditSpecification_1173199825610 SECU RITY_RESOURCE_ACCESS:FAILURE}{AuditSpecification_1173199825611 SECURITY_AUTHN_TE RMINATE:FAILURE}{AuditSpecification_1184365235250 SECURITY_AUTHZ:REDIRECT}{Audit Specification_1184365353218 SECURITY_AUTHZ:REDIRECT;SECURITY_AUTHZ:INFO}{AuditSp ecification_1184365353218 SECURITY_RESOURCE_ACCESS:REDIRECT;SECURITY_RESOURCE_AC CESS:INFO}{AuditSpecification_1184598886859 SECURITY_AUTHN:SUCCESS;SECURITY_AUTH N:INFO}{AuditSpecification_1184598886859 SECURITY_AUTHZ:SUCCESS;SECURITY_AUTHZ:I NFO}{AuditSpecification_1184689433421 SECURITY_MGMT_PROVISIONING:SUCCESS}{AuditS pecification_1184689433421 SECURITY_MGMT_POLICY:SUCCESS}

Batch mode example usage

Interactive mode example usage

 

listAuditFiltersByRef

The listAuditFiltersByRef command lists all reference ids that correspond to the audit filters defined in the audit.xml file.

The user must have the monitor admin role to run this command.

Target object

None.

Return value The command returns a list of each reference that exists in the audit.xml configuration file, as the following sample output displays: 

AuditSpecification_1173199825608 AuditSpecification_1173199825609 AuditSpecification_1173199825610 AuditSpecification_1173199825611  AuditSpecification_1184365235250 AuditSpecification_1184365353218  AuditSpecification_1184598886859 AuditSpecification_1184689433421

Batch mode example usage

Interactive mode example usage

 

modifyAuditFilter

The modifyAuditFilter command modifies the audit filter specification in the audit.xml configuration file.

The user must have the auditor admin role to run this command.

Target object

None.

Required parameters

-filterRef

Reference ID for the audit filter to modify in the security auditing system configuration. (String, required)

Optional parameters

-name

Specifies a unique name to associate with the audit event filter. (String, optional)

-eventType

comma-separated list of one or more event types. (String, optional)

-outcome

comma-separated list of one or multiple event outcomes. For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. (String, optional)

-enableFilter

Specifies whether to enable the filter. Specify true to enable the filter, or false to disable the filter. (Boolean, optional).

Return value

The command returns a value of true if the system successfully updates the audit filter.

Batch mode example usage

Interactive mode example usage




 

Related


AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditSigningCommands
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands