OSF DCE Administration Guide--Core Components
OSF DCE Administration Guide—Core Components
43.4 Defining Event Classes
Individual audit events can be grouped together to form event classes. The event class
provides an efficient mechanism by which sets of events can be logically grouped and
selected using a single value.
DCE audit event classes are configurable. You can add or remove events of an existing
event class or define new event classes.
The ability to define local event classes is useful in simplifying the management of audit
services in multiple DCE applications. Administrators can design their own audit event
classes reflecting their security requirements and trail storage resource constraints.
Temporary event classes can also be created to track down security violations.
43.4.1 Steps in Defining an Event Class
To define an event class, follow these steps:
1. Obtain an event class number for the event class from your cell administrator. A
range of event class numbers should have been allocated to your organization by
OSF. If not, contact OSF.
2. Create an event class file in the dcelocal/etc/audit/ec directory. Edit the file as
follows:
a. Declare the event class number (ECN) by adding a line with the following
format:
ECN= _event_class_number
b. Optionally, you can add a server event prefix (SEP) line in the file. The SEP
line contains the event number prefixes of each server. The event number
prefix is the lowest event number in each server. The SEP line has the
following format:
SEP= _event_number1 event_number2 event_number3 ...
You can put the SEP line anywhere in the file. The SEP line speeds up the
scanning of audit clients by skipping irrelevant event class files.
c. From the application, obtain the event numbers for the code points that you
want to include in the event class.
d. Add the event numbers corresponding to the events that you want to include
in the event class, one number per line.
In the event class file, empty lines are ignored and comments are designated by a #
(number sign) preceding the comment text.
43 − 4 Tandem Computers Incorporated 124243