The log filter file controls file audit events by means of the SACL you set on it. Setting a SACL on the filter file has the same effect as setting the same SACL on every file and directory on the storage system.
The effect of the filter file depends on the security setting of the qtree in which the files are located.
When an operation is performed on files in a UNIX security style, the event is logged depending on the SACL on the filter file.
When an operation is performed on files in an NTFS or mixed security-style qtree that has no SACL set, the event is logged depending on the SACL on the filter file.
However, if SACLs are set on individual files or directories, these SACLs take precedence over the SACL set on the filter file.