eTrust Audit Reference Guide - CA Technologies
eTrust Audit Reference Guide - CA Technologies
eTrust Audit Reference Guide - CA Technologies
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Recorder Configuration File<br />
unicenter<br />
The unicenter action tells the Action Manager to send events to the local<br />
Unicenter agent (installed on the <strong>eTrust</strong> <strong>Audit</strong> host that performs the action)<br />
for forwarding to the Unicenter Event Management Console on the specified<br />
host as shown in the following example:<br />
Action unicenter; systema<br />
In the example, the Action Manager sends events to the Unicenter Event<br />
Management Console on systema.<br />
Note: Status codes from <strong>eTrust</strong> Access Control are translated to their generic<br />
equivalents. In the Unicenter Event Management Console, events display<br />
color codes and status icons. The Unicenter Event Management Agent must<br />
be installed on the host where the Action Manager runs.<br />
Recorder Configuration File<br />
The recorder configuration file, each line (other than comment lines) provides<br />
criteria for bringing audit records into the local audit file from Windows. A<br />
record is admitted and handled by <strong>eTrust</strong> <strong>Audit</strong> if it matches the criteria of any<br />
line in the file. If the record does not match a line, then <strong>eTrust</strong> <strong>Audit</strong> will ignore<br />
the record. The file is selogrec.cfg in the audit\etc directory, where audit is the<br />
directory in which you installed <strong>eTrust</strong> <strong>Audit</strong>. This file defines which NT logs<br />
will be read, according to the client.<br />
The format is explained in the following example. Use commas as delimiters<br />
within the three-part resource specification, (source, event category, event ID),<br />
This is different that the semicolons that are used as delimiters elsewhere. The<br />
file is case-sensitive.<br />
You can select the way to filter the events that are recorded by using the<br />
following mask:<br />
;;;<br />
For example:<br />
NT-Security;Security,Detailed Tracking,593;jerry;S<br />
The default values, which can be selected during installation, are:<br />
■<br />
■<br />
■<br />
NT-System;*;*;*<br />
NT-Security;*;*;*<br />
NT-Application;*;*;*<br />
4–6 <strong>Reference</strong> <strong>Guide</strong>