Events generated from a specific source machine can be audited using the Source Machine policy. This policy contains a set of DNS names or IP addresses of the source machines, and an action flag for each machine. The action for the event generated from the specific source machine will be executed based on the corresponding action flag.
To create and associate a Source Machine policy:
Select a container.
Click New > Object > New naasSourceMachinepolicy.
Add the DNS names or IP addresses of the source machine whose actions are to be audited with the appropriate action flag for each machine.
Make this policy applicable to appropriate audited objects.
Grant the appropriate Audit agent objects Read rights to this policy.
NOTE: For auditing events generated from specific source machines, an Event policy must also be present. In the Event policy, if the filter condition for any event is set to DON'T CARE or the action flag is set to IGNORE. The Source Machine policy will not be applied for that event, and the event will be audited irrespective of the source machine from which it was generated. The filtering condition should be set to either AND or OR for the event to be audited based on the corresponding source machine.