Exploring Audit Data
Required Role: Auditing Viewer (or Full Administrator)
Viewing Audit Events
- Click the Audits tab. By default, the Audit Events report opens, listing all events that occurred within the last hour, with the most recent at the
The Audit Events and Recent Denied Accesses reports are available by default. You create your own reports and apply a variety of filters as detailed in the next section.
Filtering Audit Events
You filter audit events by specifying a time range or adding one or more filters containing an audit event field, operator, and value.
Specifying a Time Range
- Click the date-time range at the top right of the Audits tab to open a range selector.
- Select one of the pre-defined ranges.
To enter a specific time range, choose Custom range and use the controls in Selected Range to specify start and end dates and times.
- Click Apply.
Adding a Filter
- Click the Filters link.
The Filters pane displays.
- Click if a filter field is not already open.
- Choose a field in the Select Property drop-down list.
The properties correspond to the audit fields listed in Service Audit Events.
- Choose an operator in the operator drop-down list.
Choose from = (equals), != (not equals), like, and not like. The like operator matches to substrings. For example, to see all the audit events for files created in the folder /user/joe/out, specify Source like /user/joe/out.Use not like to filter out events based on a partial string match. For example, to show audit events for a set of IP addresses that start with the same sequence 172.39.109, you can specify IP Address not like 172.39.109.
- Type a field value in the value text field.
For example, to see the events listed for Navigator, enter Service Name = Navigator.
- To specify an additional filter, click and define the new criteria.
Audit events show that match all filters (AND).
- Click Apply.
A filter breadcrumb appears above the list of audit events and the list of events displays all events that match all the filter criteria.