Using Find Sessions

Find Sessions is a separate executable file, installed in the same directory as Audit Analyzer, that you can use to find and open audited sessions. The program provides a graphical user interface and a command line interface for specifying the search criteria. You can use either interface to find sessions of interest. From the Find Sessions graphical user interface, you can also replay, update the review status, view the desktops used for any sessions found, display the list of indexed commands or events, and copy the session URI.

To start Find Sessions from the Windows command line, you can type the following in a Command prompt window:

findsessions /ia

Specifying the sessions to find

You can use the Common or Advanced search criteria to find sessions of interest. The Find Sessions dialog box then displays the results that match the criteria you specify. In most cases, you can find the sessions you are interested in through some combination of user name, computer name, and session time displayed on the Common tab. If you want to specify additional criteria, such as review status or auditor name, you can click the Advanced tab.

Using the command line interface

You can run Find Sessions as a command line utility on computers where Audit Analyzer is installed. The command line interface can be useful, for example, if you may want to find, export, or delete sessions as part of a script. You can view usage information for the command line interface using the /help option. Specify search criteria for finding sessions using the following format:

findsessions /i=”InstallationName” /u=”username” /m=”computerName” /t=”yyyy‑MM-dd

Using a web browser to access sessions

On computers that have Audit Analyzer installed, you can also find and play back sessions from a web browser. Because the cda:// protocol is automatically registered on the computer with Audit Analyzer, you can use a web browser to open Find Sessions or to replay a specific session. For example, you can embed a cda:// link in a web page to automatically generate a list of sessions, or you might want to embed a link to a session or set of sessions in a web-based report or event notification.

You must be able to specify a query using AQL syntax to open Find Sessions from a web browser. If you want to start playing back a session from a web browser, you must know the session identifier. You can extract the session identifier from the session URI.

To start Find Sessions from a web browser:

  1. Open a web browser.
  2. Type the installation name and a search string using AQL syntax in the address bar of the web browser.

    For example, if you want to search an installation named MyInstallation5 for sessions that involved the Administrator user, you would type the following in the address bar:

    cda://DefaultInstallation5/?search=\"1 user=\"Administrator*\"\"
  3. Click Allow to open the Find Sessions with the Advanced tab displayed and “user=Administrator*” listed for the Define Criteria.

  4. Click Find Now to find sessions matching the criteria you specified.

For more information about using Find Sessions, see the Find Sessions help.