Audit Query Language overview

You can use the Audit Query Language to search for audited sessions with Find Sessions from a command line interface.

The Audit Query Language (AQL) serves two purposes:

  • Query definition: The Audit Management Server database stores the query definition as an AQL statement.
  • Query language: In order to query for audit information, the audit & monitoring service sends AQL statements to the Audit Management Server database.

When you enter an AQL query, the system stores this as the query definition. The query definition defines what information is of interest and how to group the results. In some cases, you might retrieve the results over multiple phases, depending on how you want to present the information.

For example: The query "get all Windows audit sessions, grouped by user" has two phases:

  1. Gather a list of all users who have Windows audit sessions
  2. Show all the Windows sessions for each user who is listed in Step 1.

In each phase, the Audit & Monitoring generates the AQL statement and sends it to the Audit Management Server database in order to query for audit information. This part is when the AQL statements function as a query language.

Here is an AQL statement example:

1 Type=wingui; orderby=time DESC; time is in this week; user=”joe*”,”mark*”;machine=”domaincontroller”’

The example query would return audited Windows sessions in the last week where Joe or Mark logged in to the domain controller system, and the results would be listed in descending order of when they occurred.

In general, the format of an AQL statement can either be just some quick search terms or a statement with the following parts:

  • Audit trail types
  • Group-by
  • Order-by
  • Predicates