Perform the following procedure to create a custom filter for the user access log to display only authentication related messages:
- To create a custom filter for the user access log files, go to System > Log/Monitoring > [Events | User Access | Admin Access | Sensors] > Filters and click New Filter:
On the subsequent screen set the Start Date and End Date for the query's period of interest and create the filter from the available variables. These variables use the PCS custom expression language; For more information, refer to the Writing Custom Expressions appendix in the PCS Administration Guide.
For example, to see all authentication log messages from March 2010 onwards, you can use a query of id="AUT*", which will show only authentication related log messages during the period specified; as shown in the following image:
- Click Save to create the filter. It will now be displayed in the View by filter drop-down menu option on the log pages. When selected, the filter details are displayed in the area above the log messages:
Now the view will only display authentication messages for the selected period.
Note: The filter only alters the log view with specific log messages based on filter results; the actual contents of the log is not deleted or altered. Filters are available only with the advanced license (available for all systems except the SA700; included with any user license starting in 6.2).
To restore the view, reset the filter to the Standard option.