Setting Filters for Viewing Events

Filters are used for filtering the data logged in the audit trail. Users can control what audit data is displayed to them by configuring and applying filters. The types of filters are:

• Filter Sets
• Event Filters
• Data Filters

IMPORTANT:  You must be an Auditor to create and use filters. See Setting the User as Auditor for details.

Filter Sets

Filter sets allow the user to group event filters and data filters together.

Event Filters

Event filters filter the audit data based on the event name. Each event filter corresponds to an audited service.While creating a new event filter, you must specify the name of the Event Policy template that corresponds to the audited service.

Data Filters

Data filters filter the audit data based on the contents of the event data fields, such as the name of the user who generated the event, the machine on which the event was generated, the action taken by NAAS for an event, and the success code of the event. The types of data filters are:

• Username filters
• Source IP filters
• Target IP filters
• Action taken filters
• Success code filters

Username Filters: Filter the audit data based on the name of the user who perpetrated the event.

Source IP Filters: Filter the audit data based on the IP address of the machine from where the event was generated.

Target IP Filters: Filter the audit data based on the IP address of the machine on which the event was generated.

Action Taken Filters: Filter the audit data based on the action taken by NAAS for an event. The actions can be:

• Log - Records the event in the audit database.
• Raise Alert - Raises a real-time alert when the event occurs.

This filter must be specified numerically. Action = 1 means the event is logged and Action = 2 means the event was logged and a real-time alert was also raised.

Success Code Filters: Filter the audit data based on the success code of the event. The success code for an event provides details on whether the event went through successfully or failed with some error code.

Creating Filters

1. Select Filter from the NAAS menu. This will display a list of existing filters.

2. Click New to create a new filter.

3. Type the name of the filter.

4. Select the filter type.

5. If the filter type is Event Filter, browse or type the name of the event policy template that corresponds to an audited service.

6. Click OK. An empty filter is created in the database and a new screen to set the properties for this filter is displayed.

Editing Filters

1. Select Filter from NAAS menu. This will display a list of existing filters.

2. Select the filter to be edited and click Edit.

3. Based on the type of filter, follow the steps below:

   Edit Filter Sets: Add or delete names of existing filters that are to be grouped together in the specific filter set.

   Editing Event Filters: Each event filter corresponds to some audited service. The edit screen displays the list of events exposed by that audited service. Turn on the events that are to be included in the audit report. For those events that are turned on, an appropriate filter condition should also be specified. The filter conditions are:

   • DON'T CARE - The event will be included in the report irrespective of whether the data filters have been satisfied.
   • AND - The event will be included in the report only if all the selected data filters are satisfied.
   • OR - The event will be included in the report even if any one of the selected data filters is satisfied.

   The data filters will be applied to the particular event during audit report generation.

   Edit Data Filters: The properties of a data filter can be modified by changing the contents of the event data field corresponding to the data filter type.

   • For User name filter - Add or delete the FDNs of users based on your requirements.

     IMPORTANT:  The FDNs should be in lowercase.

   • For Source IP filters - Add or delete the IP addresses of the machine, based on requirements. Note that the DNS name of the machine cannot be specified here.
   • For Target IP filters - Add or delete the IP addresses of the machine, based on requirements. Note that the DNS name of the machine cannot be specified here.
   • For Action Taken filters - Add or delete action values based on requirements.
   • For Success codes - Add or delete success code values.

Apply Filters during Report Generation

1. From the NAAS menu, click Reports.

2. In the Filters panel, select the filters required for generating the report. Multiple filters can be selected by pressing the Ctrl key.

3. Click Enable Filters.

4. Set all the other required conditions and click OK to apply the filter and generate the report. For more details on report generation, see Generating Audit Reports .

   If multiple filters are selected for report generation, they are applied as follows:

   Filter Type	Description
   One or more event filters	Each event filter is applied independently of other event filters; that is, an audit record will be included in the report if it satisfies any one of the specified event filters.
   One or more data filters along with event filters	Data filters are applied to each event based on the filtering condition set for that event in the event filter. IGNORE: Ignores data filters AND: The Audit record is included only if all the data filters are satisfied. OR: The Audit record is included even if any one of the data filters is satisfied.
   Only data filters without event filters	The Audit record is included in the report only if all the data filters are satisfied.
   A set of filters	The filters contained in the set are extracted and applied appropriately as described above, depending on whether they are event filters or data filters.