Creating an event filter profile
To create an event filter profile:
- Go to Secret Settings > Event Filter Profile.
- In Event Filter Profile, select Create.
The New Event filter profile window opens.
-
Enter the following information:
Name
Name of the event filter profile.
Process Log
Monitor/skip the process log (default = Monitor).
Filesystem Log
Monitor/skip the file system event log (default = Monitor).
User Management Log
Monitor/skip the user management event log (default = Monitor).
- Click Submit.
Event filter profile via the CLI Example
- In the CLI console, use the following commands to configure the event filter profile:
config secret event-filter-profile edit "default_app_log" set process-log {enable | disable} #Enable/disable pulling activity log set filesystem-log {enable | disable} #Enable/disable pulling activity log set user-management {enable | disable} #Enable/disable pulling activity log next end
- In the CLI console, use the following commands to enable or disable the event filter for the policy or secret.
config secret policy edit default set event-filter {not-set | disable | enable} set event-filter-profile "default_app_log" end end config secret database edit sec_1 set event-filter {not-set | disable | enable} set event-filter-profile "default_app_log" end end
- The launched secret requires a target with a privileged account with WinRM (Windows remote management) privilege.
Enable or disable
winrm-https
in the secret target using the following CLI commands:config secret target edit "3-84-141-197" set class "Other" set template "Windows Domain Account" set address "ec2-3-84-141-197.compute-1.amazonaws.com" set creation-time 2023-10-12 11:28:57 set winrm-https {enable | disable} #Enable set access customized config user-permission edit 1 set user-name "admin" set permission owner next end set web-proxy-status disable next end
For information on WinRM configuration for Windows server, see Appendix L: WinRM configuration for Windows server.
Limitations
The RDP log retrieving feature currently only works on RDP sessions proxied by FortiPAM with video recording enabled.