Viewing Sessions with Predefined Queries

After you have started collecting user activity on a managed computer, you can use Audit Analyzer to view and replay the sessions captured. For example, you can open Audit Analyzer and select Active Sessions to see sessions that are currently in progress.

Audit Analyzer includes many predefined queries like the Active Sessions query that you can use to find the sessions in which you are interested. To access the predefined queries, expand Audit Sessions. You can then select a predefined query to display a list of the audited sessions that meet the conditions of that query. For example, if you want to search for sessions by user, you can select the “All, Grouped by User” query, then select the specific user whose sessions are of interest to see a list of all the sessions captured for that user. For example, in the right pane, you would select a user from the list.

After you select a specific user, Audit Analyzer displays detailed information about each of that user’s sessions. For each session, Audit Analyzer lists the user name who started the session, the user display name, the account name used during the session, the name of the audited computer, the audit store used, start and end time, current state, whether the audited session is a console or terminal client session, the review status of the session, the name of the user that modified the status, the size of the session in kilobytes, and any comments that have been added to the session.

In addition to the predefined queries for audited sessions, Audit Analyzer includes predefined queries for audit trail events and predefined queries for basic reports. You can explore these queries on your own as you capture additional activity.