A security analyst needs to correlate login events from multiple authentication servers to track a single user session. The events share a common 'session_id' field but have different timestamps. Which transaction command option should be used to ensure the session is considered complete after 30 minutes of inactivity?
Trap 1: startswith=login endswith=logout
This defines start and end events, but does not handle inactivity timeout.
Trap 2: mvlist=session_id
mvlist is not a valid transaction option; it is used elsewhere.
Trap 3: maxspan=30m
maxspan limits the total duration of the transaction, not the gap between events.
- A
startswith=login endswith=logout
Why wrong: This defines start and end events, but does not handle inactivity timeout.
- B
mvlist=session_id
Why wrong: mvlist is not a valid transaction option; it is used elsewhere.
- C
maxspan=30m
Why wrong: maxspan limits the total duration of the transaction, not the gap between events.
- D
maxpause=1800
maxpause=1800 seconds (30 minutes) closes the transaction after 30 minutes of inactivity.