Endpoint Local Filters screen

Use this screen to configure Endpoint Local Filters (ELFs), which allow you to filter the Endpoints themselves in order to eliminate unwanted or unnecessary data retrieval. See Configuring Endpoint Local Filters.

Actual filtering is done as a byte-by-byte comparison of a number of bytes at offsets into 'entry specific data'. Multiple comparisons can be made to give results either as AND or OR conditions.

How to Get There

Enter the following command from the command line:

CALL PTCMT3/SETLCLFTR

Field Descriptions

FTRCODE: Filters can be created for combinations of journal code and entry type. Security entries in the QAUDJRN audit journal will always have journal code T.

FTRTYPE: Entry types are related to the security event that triggers the journal entry. Possible types are:

CA for a Change Authority event
CO for a Create Object event
AF for Authority Failure

There can be many other types. If no filters exist at all for a code/type combination, those entries will be passed by default.

FTRFTRID:.For a given code/type combination, up to 99 filters can be defined. Filters are identified within a code/type by a Filter ID number. For each of those Filter IDs, up to 99 'parts' can be defined.

FTRFTRSEQ: Each 'part' of a given filter is identified by a Filter Sequence Number, and all 'parts' will be combined with all other 'parts' for the same filter.

If filters exist for a code/type combination, all 'parts' must be true for a given filter ID to pass an entry. Each Filter ID for the entry’s code/type combination will be tested until one is found that passes the entry or until the last filter ID for that code/type has been tested. If no filter matches, that journal entry will not be passed to the Consolidator.

The following five fields are the Filter 'parts.' Filter 'parts' have five attributes:

FTRTESTTYPE: [This field is for internal/development use only].

FTRSLTOMT: Select/Omit may have the value '0' or '1'. It is used to provide for negation.

0=Omit

1=Include

i.e., when the attribute is '1', the test value must match the entry; and when it is '0', the test value must NOT match the entry.

FTROFFSET: Offset specifies the beginning position in the 'entry specific data'. The offset for the type can be referenced in the IBM i documentation for your system version (e.g. http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarl/rzarllayout.htm for 7.1).

FTRLEN: Length specifies how many bytes are to be tested beginning at the Offset.

FTRTSTVAL: Test Value is the actual value to compare against the journal entry.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.4 | 202405201111 | May 2024