Creating Custom Queries

In addition to the predefined queries, you can use Audit Analyzer to create your own queries for locating sessions using specific criteria. For example, you might want to find all sessions that contain the string sudo or that ran a specific program. To search for these sessions, you can create a custom query definition.

For audited sessions, you can create:

  • Quick queries
  • Private queries
  • Shared queries

If you create a quick, private, or shared query, a new node is added to the Audit Analyzer console for that type of query under the Audit Sessions node. If you want to search for audit trail events, you can also create queries for audit events, which are added to Audit Analyzer under the Audit Events node.

To create a new custom query

  1. Open Audit Analyzer, select Audit Sessions, right-click, then select one of the following options for a new query:

    • New Quick Query
    • New Private Query
    • New Shared Query

  2. Type a name and description for the query.

  3. Select the type of sessions that you want the query to find.

    For example, select UNIX sessions to limit the search to only include UNIX sessions. By default, new queries search for both UNIX and Windows sessions.

  4. Select an attribute for grouping query results, if applicable.

  5. Select an attribute for ordering query results within each group, if applicable.

  6. Click Add to add search criteria to filter the results of the query.

  7. Select an appropriate attribute from the Attribute list based on the sessions you want to find.

  8. Select the appropriate criteria for the attribute you have selected, then click OK.

    The specific selections you can make depend on the attribute selected. For example, if the attribute is Review status, you can choose between “Equals” and “Not equals” and the specific review status you want to find., such as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text string that you want to find any part of.

  9. Click Add to add another filter to the criteria for the query, or click OK to save the query and find the sessions that match the criteria you have specified.