Users can run simple and advanced searches.
A basic search runs against all of the event fields in Table 6-1. Some sample basic searches include the following:
root
127.0.0.1
Lock*
driverset0
NOTE:If time is not synchronized between the end user machine and the Identity Audit server (for example, one machine is 25 minutes behind), you might get unexpected results from your search. Searches such as
or are based on the end user’s machine time.Click the
link on the left.Identity Audit is configured to run a default search for non-system events with severity 3 to 5 the first time a user clicks the
link. Otherwise, it defaults to the last search term the user entered.For a different search, type a search term in the search field (for example, admin). The search is not case-sensitive.
Select a time period for which the search should be performed. Most of the time settings are self-explanatory, and the default is
.allows you select a start date and time and an end date and time for the query. The start date must be before the end date, and the time is based is based on the browser’s local time.
searches all the data in the database.
Select
to include events that are generated by Identity Audit system operations.Select
to arrange data with the most recent events at the beginning.Sorting by time takes longer than sorting by relevance, which is the default.
Click
.All fields in the index are searched for the specified text. A spinning icon indicates that the search is taking place.
The event summaries are displayed.
An advanced search can search for a value in a specific event field or fields. The advanced search criteria are based on the short names for each event field and the search logic for the index. To view the field names and descriptions, the short names that are used in advanced searches, and whether the fields are visible in the basic and detailed event views. see Table 6-1.
To search for a value in a specific field, use the short name of the field, a colon, and the value. For example, to search for an authentication attempt to Identity Audit by user2, use the following text in the search field:
evt:authentication AND sun:user2
Other advanced searches might include:
pn:NMAS AND sev:5
sip:123.45.67.89 AND evt:“Set Password”
Figure 6-2 Advanced Search Example
Multiple advanced search criteria can be combined by using the following bits operators:
AND (must be capitalized)
OR (must be capitalized)
NOT (must be capitalized and cannot be used as the only search criterion)
+
-
Special characters must be escaped by using a \ symbol:
+ - && || ! ( ) { } [ ] ^ " ~ * ? : \
The advanced search criteria are modeled on the search criteria for the Apache Lucene* open source package. More detail about the search criteria is available on the Web: Lucene Query Parser Syntax.