6.1 Running an Event Search

Users can run simple and advanced searches.

6.1.1 Basic Search

A basic search runs against all of the event fields in Table 6-1. Some sample basic searches include the following:

  • root

  • 127.0.0.1

  • Lock*

  • driverset0

NOTE:If time is not synchronized between the end user machine and the Identity Audit server (for example, one machine is 25 minutes behind), you might get unexpected results from your search. Searches such as Last 1 hour or Last 24 hours are based on the end user’s machine time.

  1. Click the Search link on the left.

    Identity Audit is configured to run a default search for non-system events with severity 3 to 5 the first time a user clicks the Search link. Otherwise, it defaults to the last search term the user entered.

  2. For a different search, type a search term in the search field (for example, admin). The search is not case-sensitive.

  3. Select a time period for which the search should be performed. Most of the time settings are self-explanatory, and the default is Last 30 Days.

    • Custom allows you select a start date and time and an end date and time for the query. The start date must be before the end date, and the time is based is based on the browser’s local time.

    • All time searches all the data in the database.

  4. Select Include System Events to include events that are generated by Identity Audit system operations.

  5. Select Sort By Time to arrange data with the most recent events at the beginning.

    Sorting by time takes longer than sorting by relevance, which is the default.

  6. Click Search.

    All fields in the index are searched for the specified text. A spinning icon indicates that the search is taking place.

    The event summaries are displayed.

6.1.2 Advanced Search

An advanced search can search for a value in a specific event field or fields. The advanced search criteria are based on the short names for each event field and the search logic for the index. To view the field names and descriptions, the short names that are used in advanced searches, and whether the fields are visible in the basic and detailed event views. see Table 6-1.

To search for a value in a specific field, use the short name of the field, a colon, and the value. For example, to search for an authentication attempt to Identity Audit by user2, use the following text in the search field:

  • evt:authentication AND sun:user2

Other advanced searches might include:

  • pn:NMAS AND sev:5

  • sip:123.45.67.89 AND evt:“Set Password”

Figure 6-2 Advanced Search Example

Multiple advanced search criteria can be combined by using the following bits operators:

  • AND (must be capitalized)

  • OR (must be capitalized)

  • NOT (must be capitalized and cannot be used as the only search criterion)

  • +

  • -

Special characters must be escaped by using a \ symbol:

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \

The advanced search criteria are modeled on the search criteria for the Apache Lucene* open source package. More detail about the search criteria is available on the Web: Lucene Query Parser Syntax.