Create security auditing event type filters


Event type filters are used to specify the types of auditable security events that are audited. Default event type filters are included with WAS ND, but we can also configure new event type filters to specify a subset of auditable event types to be recorded by the security auditing subsystem.

Before configuring security auditing filters and the rest of the security auditing subsystem, enable global security in the environment. You must be assigned the auditor role to complete this task. Event type filters are used to specify what events are audited. The amount of data that is recorded for each event is specified with the Enable verbose auditing check box on the same panel used to enable the auditing subsystem. Navigate to Security > Security auditing to enable security auditing and determine the data recorded for each event.

The appserver provides the following commonly used event type filters by default in the audit.xml template file:
Name Event name Outcome of event
DefaultAuditSpecification_1 SECURITY_AUTHN SUCCESS
DefaultAuditSpecification_2 SECURITY_AUTHN DENIED
DefaultAuditSpecification_3 SECURITY_RESOURCE_ACCESS SUCCESS
DefaultAuditSpecification_4 SECURITY_AUTHN REDIRECT

New event type filters can be created, or the existing default filters can be extended, to capture more event types and outcomes. Use this task to create new event type filters. .

 

  1. Click Security > Security Auditing > Event type filters> New.

  2. Enter the unique name that should be associated with this event type filter configuration in the Name field.

  3. Specify the events that should be recorded when this filter is applied:

    1. Select the events to be audited from the Selectable events list.

    2. Click Add >> to add the selected events to the Enabled events list.

    3. Select the outcomes to be audited from the Selectable event outcomes list.

    4. Click Add >> to add the selected outcomes to the Enabled event outcomes lists.

  4. Click OK.

 

Results

The successful completion of this task results in the creation of an event type filter than can be selected by the audit service providers and audit event factories to gather and record a specific set of auditable security events.

 

Next steps

After creating an event type filter, the filter must be specified in the audit service provider and the audit event factory to be used to gather or report audit data. The next step in configuring the security auditing subsystem is you should configure an audit service provider to define where the audit data will be archived.


Auditable security events
Event type filter settings
Event type filters collection
Example: Generic Event Interface
Context objects for security auditing
Context object fields

 

Related tasks


Set auditable events using scripting
Set the default audit service providers for security auditing
Audit the security infrastructure