Predefined queries for audit events
Audit Analyzer includes predefined queries that you can use to find the sessions that recorded audit trail events. To access the predefined queries for locating audit trail events, expand Audit Events. You can then select a predefined query to display a list of the audit trail events that meet the conditions of that query. You navigate to indexed lists of commands and events and replay sessions of interest for audit event queries in exactly the same way as audit session queries and you have the same options for viewing the activity captured. However, the details displayed for audit event queries are different from audit session queries.
For each event, Audit Analyzer lists the name of the user, the name of the audited computer, the time of the event, the event name and description, and whether access was successful.