about audit rule ?


HI
about compliance auditor==>audit rule...I have 2 question:
(1)If I only create /modify/copy rule..but I could not delete a rule ?
(2)If I set daily records...it only show all records yesterday...If I
could query all today record when I set daily ?Because I even set
hourly...I still cold not see today record.(after I modify reule from
daily to hourly, I check compliance auditor, it still show records
yesterday)


wyldkao


--
wyldkao
------------------------------------------------------------------------
wyldkao's Profile: https://forums.netiq.com/member.php?userid=1688
View this thread: https://forums.netiq.com/showthread.php?t=49155

Parents

  • wylkado,

    First, once you create a Compliance Auditor Rule, it can not be delete.
    This is by design. You can modify, but not delete.

    Second - If you have Compliance Auditor Audit Rule properly configured,
    (we have to match the criteria in the rule to pull in events), the next
    option is the frequency of running that Rule. If you choose hourly, it
    should run each hour, pulling in events that have happened since the
    last time the Rule was run. Look at "Next Run" time, try changing that
    time to 2 or 3 minutes ahead of the time now, then watch the unifid.log
    (Set Log settings to 'Info' and to 'Show all Tasks'. If you do you
    should see something like this:

    Task secaudit runFilters (8ms)
    Info, Task secaudit runReports (2ms)
    Info, Task cmdctrl runReports (1ms)

    Secaudit = Compliance Auditor. The 'secaudit runFilters' task means
    we've run the configured Compliance Auditor Audit Rules and the events
    should show up in the Compliance Auditor soon, assuming that we matched
    events and pulled them in.

    It could be a refresh issue. Try going out Compliance Auditor and back
    in after the rules ran.

    Hope this helps.


    wyldkao;236528 Wrote:
    > HI
    > about compliance auditor==>audit rule...I have 2 question:
    > (1)If I only create /modify/copy rule..but I could not delete a rule ?
    > (2)If I set daily records...it only show all records yesterday...If I
    > could query all today record when I set daily ?Because I even set
    > hourly...I still cold not see today record.(after I modify reule from
    > daily to hourly, I check compliance auditor, it still show records
    > yesterday)
    >
    >
    > wyldkao



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=49155

Reply

  • wylkado,

    First, once you create a Compliance Auditor Rule, it can not be delete.
    This is by design. You can modify, but not delete.

    Second - If you have Compliance Auditor Audit Rule properly configured,
    (we have to match the criteria in the rule to pull in events), the next
    option is the frequency of running that Rule. If you choose hourly, it
    should run each hour, pulling in events that have happened since the
    last time the Rule was run. Look at "Next Run" time, try changing that
    time to 2 or 3 minutes ahead of the time now, then watch the unifid.log
    (Set Log settings to 'Info' and to 'Show all Tasks'. If you do you
    should see something like this:

    Task secaudit runFilters (8ms)
    Info, Task secaudit runReports (2ms)
    Info, Task cmdctrl runReports (1ms)

    Secaudit = Compliance Auditor. The 'secaudit runFilters' task means
    we've run the configured Compliance Auditor Audit Rules and the events
    should show up in the Compliance Auditor soon, assuming that we matched
    events and pulled them in.

    It could be a refresh issue. Try going out Compliance Auditor and back
    in after the rules ran.

    Hope this helps.


    wyldkao;236528 Wrote:
    > HI
    > about compliance auditor==>audit rule...I have 2 question:
    > (1)If I only create /modify/copy rule..but I could not delete a rule ?
    > (2)If I set daily records...it only show all records yesterday...If I
    > could query all today record when I set daily ?Because I even set
    > hourly...I still cold not see today record.(after I modify reule from
    > daily to hourly, I check compliance auditor, it still show records
    > yesterday)
    >
    >
    > wyldkao



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=49155

Children
No Data