Event type filters are used to specify the types of auditable
security events that are audited. Default event type filters are included
with the product, but you can also configure new event type filters
to specify a subset of auditable event types to be recorded by the
security auditing subsystem.
Before you begin
Before configuring security auditing filters and the rest
of the security auditing subsystem, enable global security in your
environment. You must be assigned the auditor role to complete this
task. Event type filters are used to specify what events are audited.
The amount of data that is recorded for each event is specified with
the Enable verbose auditing check box on the
same panel used to enable the auditing subsystem. Navigate to to enable security auditing and determine the data
recorded for each event.
About this task
Table 1. Commonly used event
type filters by default in the audit.xml template file . The
application server provides the following commonly used event type
filters by default in the audit.xml template file:
Name |
Event name |
Outcome of event |
DefaultAuditSpecification_1 |
SECURITY_AUTHN |
SUCCESS |
DefaultAuditSpecification_2 |
SECURITY_AUTHN |
DENIED |
DefaultAuditSpecification_3 |
SECURITY_RESOURCE_ACCESS |
SUCCESS |
DefaultAuditSpecification_4 |
SECURITY_AUTHN |
REDIRECT |
New event type filters can be created, or the existing default
filters can be extended, to capture more event types and outcomes.
Use this task to create new event type filters.
.
Procedure
- Click Security > Security Auditing > Event type
filters> New.
- Enter the unique name that should be associated with this
event type filter configuration in the Name field.
- Specify the events that should be recorded when this filter
is applied:
- Select the events that you want to be audited from the
Selectable events list.
- Click Add >> to add the selected events
to the Enabled events list.
- Select the outcomes that you want to be audited from
the Selectable event outcomes list.
- Click Add >> to add the selected outcomes
to the Enabled event outcomes lists.
- Click OK.
Results
The successful completion of this task results in the creation
of an event type filter than can be selected by the audit service
providers and audit event factories to gather and record a specific
set of auditable security events.
What to do next
After creating an event type filter, the filter must be specified
in the audit service provider and the audit event factory to be used
to gather or report audit data. The next step in configuring the security
auditing subsystem is you should configure an audit service provider
to define where the audit data will be archived.