Filters are used for filtering the data logged in the audit trail. Users can control what audit data is displayed to them by configuring and applying filters. The types of filters are:
IMPORTANT: You need to be an auditor to create and use filters. See Setting the User As Auditor for details.
Filter sets allow the user to group event filters and data filters together.
Event filters filter the audit data based on the event name. Each event filter corresponds to an audited service.While creating a new event filter, you must specify the name of the Event Policy template that corresponds to the audited service.
Data filters filter the audit data based on the contents of the event data fields, such as the name of the user who generated the event, the machine on which the event was generated, the action taken by NAAS for an event, and the success code of the event. The types of data filters are:
Username Filters: Filter the audit data based on the name of the user who perpetrated the event.
Source IP Filters: Filter the audit data based on the IP address of the machine from where the event was generated.
Target IP Filters: Filter the audit data based on the IP address of the machine on which the event was generated.
Action Taken Filters: Filter the audit data based on the action taken by NAAS for an event. The actions can be:
This filter must be specified numerically. Action = 1 means the event is logged and Action = 2 means the event was logged and a real-time alert was also raised.
Success Code Filters: Filters the audit data based on the success code of the event. The success code for an event provides details on whether the event went through successfully or failed with some error code.
Select Filter from the NAAS menu. This will display a list of existing filters.
Click New to create a new filter.
Type the name of the filter.
Select the filter type.
If the filter type is Event Filter, browse or type the name of the event policy template that corresponds to an audited service.
Click OK. An empty filter is created in the database and a new screen to set the properties for this filter is displayed.
Select Filter from NAAS menu. This will display a list of existing filters.
Select the filter to be edited > click Edit.
Based on the type of filter, follow the steps below:
Edit Filter Sets: Add or delete names of existing filters that are to be grouped together in the specific filter set.
Editing Event Filters: Each event filter corresponds to some audited service. The edit screen displays the list of events exposed by that audited service. Turn on the events that are to be included in the audit report. For those events that are turned on, an appropriate filter condition should also be specified. The filter conditions are:
The data filters will be applied to the particular event during audit report generation.
Edit Data Filters: The properties of a data filter can be modified by changing the contents of the event data field corresponding to the data filter type.
IMPORTANT: The FDNs should be in lowercase.
From the NAAS menu, click Reports.
In the Filters panel, select the filters required for generating the report. Multiple filters can be selected by pressing the Ctrl key.
Click Enable Filters.
Set all the other required conditions > click OK to apply the filter and generate the report. For more details on report generation, see Generating Audit Reports.
If multiple filters are selected for report generation, they are applied as follows: