Create security auditing event type filters

Event type filters are used to specify the types of auditable security events that are audited. Default event type filters are included with the product, but we can also configure new event type filters to specify a subset of auditable event types to be recorded by the security auditing subsystem.

Before configuring security auditing filters and the rest of the security auditing subsystem, enable global security in the environment. We must be assigned the auditor role to complete this task. Event type filters are used to specify what events are audited. The amount of data that is recorded for each event is specified with the Enable verbose auditing check box on the same panel used to enable the auditing subsystem. Navigate to Security > Security auditing to enable security auditing and determine the data recorded for each event.

Name	Event name	Outcome of event
DefaultAuditSpecification_1	SECURITY_AUTHN	SUCCESS
DefaultAuditSpecification_2	SECURITY_AUTHN	DENIED
DefaultAuditSpecification_3	SECURITY_RESOURCE_ACCESS	SUCCESS
DefaultAuditSpecification_4	SECURITY_AUTHN	REDIRECT

New event type filters can be created, or the existing default filters can be extended, to capture more event types and outcomes. Create new event type filters.

Configure event type filters

1. Click...
   Security > Security Auditing > Event type filters

   

2. Click New

   

3. Enter the unique name that should be associated with this event type filter configuration in the Name field.

4. Specify the events that should be recorded when this filter is applied:

   1. Select the events to be audited from the Selectable events list.

   2. Click Add >> to add the selected events to the Enabled events list.

   3. Select the outcomes to be audited from the Selectable event outcomes list.

   4. Click Add >> to add the selected outcomes to the Enabled event outcomes lists.

5. Click OK.

The successful completion of this task results in the creation of an event type filter than can be selected by the audit service providers and audit event factories to gather and record a specific set of auditable security events.

What to do next

After creating an event type filter, the filter must be specified in the audit service provider and the audit event factory to be used to gather or report audit data. The next step in configuring the security auditing subsystem is we should configure an audit service provider to define where the audit data will be archived.

Subtopics

• Auditable security events
  
• Event type filter settings
  
• Event type filters collection
  
• Example: Generic Event Interface
  
• Context objects for security auditing
  
• Context object fields
  

Auditing the security infrastructure

Configure auditable events using scripting

Configure the default audit service providers for security auditing