To create a new private query:
- Open Audit Analyzer, select Audit Sessions, right-click, then select New Private Query.
- Type a name and description for the query.
After you save the query, this information is available for viewing and editing on the General tab when you display the query’s properties.
- Select the type of sessions that you want the query to find.
You can search for UNIX sessions, Windows sessions, and Linux Desktop sessions. By default, new queries search for all types of sessions.
- Select an attribute for grouping query results, if applicable.
You can select one or more attributes for grouping query results. If you specify more than one attribute, results are displayed as nested groups according to the order in which you specified the attributes. For example, if you select audit store, then user, then date, the query results are grouped by audit store, then by user for each audit store, then by date for each user.
- Select an attribute for ordering query results within each group, if applicable.
You can select ascending or descending sort order for each attribute. For example, you might group query results by user name and set the sort order for user to ascending, but the sort order for time to descending.
Select an appropriate attribute from the Attribute list based on the sessions you want to find.
For example, you can search for sessions based on the period of time in which they were active or based on a specific state. You can also search for sessions based on the activity that took place during the session. For example, you can find sessions where specific UNIX commands or Windows applications were used.
- Select the appropriate criteria for the attribute you have selected, then click OK.
The specific selections you can make depend on the attribute selected. For example, if the attribute is Review Status, you can choose between “Equals” and “Not equals” and the specific review status you want to find., such as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text string that you want to find any part of.
When creating queries for user names or computers, you might want to use the “Starts with” option. If you use the default to match “Is (exactly)”, you must include the fully qualified domain name of the user or computer.
- Click Add to add another filter to the criteria for the query, or click OK to save the query and find the sessions that match the criteria you have specified.
Adding multiple filters to the query criteria
If you have more than one filter, different criteria attributes, such as
State, are separated by an implicit AND operation. Only sessions that match both criteria are returned. If you have repeated criteria attributes, for example, if you have two Time filters (
time is not in past 10 days; time is in last month), the attributes are separated by an implicit OR operation. Sessions that match either criteria are returned.
Editing and removing filters from the query criteria
You can edit and remove any of the filters you specify. For example, if you are not finding the appropriate sessions, you might need to change or remove the criteria you have defined. After you have saved a query, you can right-click the query name, then select Properties to modify the query definition.
Specifying command or application filters in the query criteria
When you specify criteria for commands, applications, or outputs, the entry field displays a list of possible matches from audited sessions based on the text you are typing. For example, if you select “
Windows Applications” as the attribute and “
Contains any of” and start typing “
word” as the text string, the entry field displays a list of possible matches that contain “word” in the application name. You can select a potential match or continue typing to specify the application by its display name or the executable file name. For example, you can specify winword.exe, Microsoft Word, or both.