Anonymous_User Absent Member.
Absent Member.
602 views

about audit rule ?


HI
about compliance auditor==>audit rule...I have 2 question:
(1)If I only create /modify/copy rule..but I could not delete a rule ?
(2)If I set daily records...it only show all records yesterday...If I
could query all today record when I set daily ?Because I even set
hourly...I still cold not see today record.(after I modify reule from
daily to hourly, I check compliance auditor, it still show records
yesterday)


wyldkao


--
wyldkao
------------------------------------------------------------------------
wyldkao's Profile: https://forums.netiq.com/member.php?userid=1688
View this thread: https://forums.netiq.com/showthread.php?t=49155

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: about audit rule ?


wylkado,

First, once you create a Compliance Auditor Rule, it can not be delete.
This is by design. You can modify, but not delete.

Second - If you have Compliance Auditor Audit Rule properly configured,
(we have to match the criteria in the rule to pull in events), the next
option is the frequency of running that Rule. If you choose hourly, it
should run each hour, pulling in events that have happened since the
last time the Rule was run. Look at "Next Run" time, try changing that
time to 2 or 3 minutes ahead of the time now, then watch the unifid.log
(Set Log settings to 'Info' and to 'Show all Tasks'. If you do you
should see something like this:

Task secaudit runFilters (8ms)
Info, Task secaudit runReports (2ms)
Info, Task cmdctrl runReports (1ms)

Secaudit = Compliance Auditor. The 'secaudit runFilters' task means
we've run the configured Compliance Auditor Audit Rules and the events
should show up in the Compliance Auditor soon, assuming that we matched
events and pulled them in.

It could be a refresh issue. Try going out Compliance Auditor and back
in after the rules ran.

Hope this helps.


wyldkao;236528 Wrote:
> HI
> about compliance auditor==>audit rule...I have 2 question:
> (1)If I only create /modify/copy rule..but I could not delete a rule ?
> (2)If I set daily records...it only show all records yesterday...If I
> could query all today record when I set daily ?Because I even set
> hourly...I still cold not see today record.(after I modify reule from
> daily to hourly, I check compliance auditor, it still show records
> yesterday)
>
>
> wyldkao



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=49155

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.