Working with Audit Logger Queries

In the Search tab of the Audit Logger, you can define a query of the log messages in the Audit Logger File Store.

Audit Logger queries perform the following tasks:

Searching for Log Messages

Displaying Audit Logger Data in a Graph

Generating an Audit Logger Report 

Sending Log Messages to an Event-Management Database

Exporting Log Messages from the Audit Logger

At any time, you can save the properties of a query for future use.

To create a Saved Query, see Saving an Audit Logger Query.

To define a schedule for a Saved Query that generates an Audit Logger Report, see Working with the Task Scheduler.

To open the Search tab:

1. In the side bar, select Events >Audit LoggerAudit Logger.
2. In the Audit Logger, select the Query tab.

The Search tab includes two sub-tabs:

In the Query Criteria tab, you can define, save, and run Audit Logger queries. Table 75 describes the fields presented in the Query Criteria tab by default.

The Query History tab provides a history of all queries run in the Search tab (see Table 76). To run one of these queries, double-click the query. TLC opens the Query Criteria tab (see Table 75) and populates the tab's fields with the query's criteria.

Tip 

Log messages in the Audit Logger cache are excluded from Audit Logger queries. To flush the Audit Logger cache, see Working with the Audit Logger Cache.

Table 75. Default fields in the Query Criteria tab

Field

Description

Query name

(For Saved Queries only) The name of the query.

Query ID

(For Saved Queries only) A unique ID for the query.

Personal use only

(For Saved Queries only) If enabled, the query is not available to other TLC users.

Description

(For Saved Queries only) A description of the query.

Queried Audit Logger

The Audit Logger to be queried.

Query group

(For Saved Queries only) Specifies the location in which to save the query in the tree of the side bar in the Query Criteria tab. You can either select a Tripwire-defined location or enter a custom path.

Output

Indicates the type of query to be run on the Audit Logger File Store. With the exception of the List Events - Raw query type, TLC normalizes the log messages identified by the query criteria. To normalize a log message, TLC uses the Normalization Rules assigned to each Asset Group containing the Asset that represents the message's Log Source (see Assigning Normalization Rules to Asset Groups), as well as any rules assigned to the Asset itself (see Table 48).

List Events - Raw. Presents log messages in a table (see Searching for Log Messages).

List Events - Processed. Presents Normalized Messages in a table (see Searching for Log Messages).

Graph Events - Processed. Presents a chart of query results (see Displaying Audit Logger Data in a Graph).

Report. Compiles a report on the query results (see Generating an Audit Logger Report).

Database. Saves Normalized Messages as Events in an Event-Management Database (see Sending Log Messages to an Event-Management Database).

File. Saves Normalized Messages as Events in a zipped text file (see Exporting Log Messages from the Audit Logger).

Classification Tags

Limits the query to log messages with a selected Classification Tag or Tag Set (see How does Classification work?).

Terms

Defines a query command for terms in the Audit Logger File Store. For special characters, see Table 77.

Tips: To optimize performance, enter the most unique terms first. For example, "jhammond user failed" would be faster than "user failed jhammond."

Assets

Limits the query to an Asset Group, Log Source type, or specific Asset(s).

To limit the query to an Asset Group, select Asset Group from the first drop-down and the Asset Group from the second drop-down.

To limit the query to a type of Log Source, select Log Source type from the drop-down and the type from the second drop-down. If 'Separate Data by Location' is enabled in the Audit Logger tab of the Manager properties dialog (see Configuring Audit Logger Settings), you can also select a Location to limit the query to Log Sources in that Location.

To limit the query to specific Assets, select IP address or Hostname from the first drop-down and the Asset's Log Source from the second drop-down.

The second drop-down supports the use of the * and ? wildcard characters (see Table 77).

To add another Asset, select the Asset from the second drop-down or manually add IP addresses or host names to the field. Multiple Assets must be separated by a comma. For example: 192.168.129.1,192.168.129.2

If 'Separate Data by Location' is enabled in the Audit Logger tab of the Manager properties dialog (see Configuring Audit Logger Settings), you can limit the query to Assets in a specific Location (e.g. Miami\192.168.129.1).

Events Per Query

Limits the number of log messages returned by the query. To see all query results, select ALL.

Date and Time

Limits the query to log messages created in a specified time period.

To define a time period relative to the time of the query:

1. Select Newer/Older/Previous.

2. In the Time Span settings, select Newer than or Older than, and then specify the number of Minutes, Hours, Days, or Months.

For example, if the query runs at 9/20/2013 10:30AM and you enter Newer than 3 Days, TLC would limit the query to log messages created between 9/17/2013 10:30AM and 9/20/2013 10:30AM.

To define a time period consisting of a specified number of whole Minutes, Hours, Days, or Months before the time of the query: 

1. Select Newer/Older/Previous.

2. In the Time Span settings, select Previous and then specify the number of Minutes, Hours, Days, or Months.

For example, if the query runs on 9/20/2013 (any time) and you enter Previous 3 Days, TLC would limit the query to log messages created between 9/17/2013 12:00AM and 9/19/2013 11:59PM.

To define a custom time period:

1. Select Start & End Time.

2. Enter a Start Time and then specify the number of Minutes, Hours, Days, or Months in the Duration field. (When you enter a Duration, TLC automatically updates the End Time field.)

For example, if you enter a Start Time of 08/20/2013 4:00:00 PM and a Duration of 3 Days, TLC would limit the query to log messages created between 08/20/2013 04:00:00 PM and 08/23/2013 03:59:59 PM.

Table 76. Query History tab

Column

Description

Timestamp

The date and time when a query was run.

Query

Presents the type, command, and criteria for each query.

Table 77. Query-syntax characters

Character

Description

Example

space

An AND operator

Write Data

|

An OR operator

(Write | Data)

?

Wildcard for a single character

Wr?te

*

Wildcard for zero (0) or more characters at the end of a term

Wri*

||

Separates multiple queries

Permit 192.168.0.1 || Deny 192.168.0.2

An example of a nested query:

(Permit | Allow) 192.168.0.1 || (Deny | Drop) 192.168.0.2

" "

A literal value

"Failed Login"

Troubleshooting an Audit Logger Query

If the results of an Audit Logger query seem inaccurate or otherwise problematic, you can save the query results in a log file and then forward the file to Tripwire Support for troubleshooting. By default, TLC saves these log files in the following directory: 

C:\Program Files\Tripwire\Tripwire Log Center Manager\Logs\Support

To create and forward a query-results log file: 

1. From the menu bar, select Help > Toggle Support Functionality (i.e. enable this setting).
2. In the side bar, select Events > Audit Logger. (If the Audit Logger is already open, you must close and re-open it.)
3. In the Audit Logger, select the Support tab.
4. In the Support tab, select Write Data to Disk. In the Data File Name field, TLC presents the name of the query-results file to be created on your TLC Manager when you re-run the query. (Note: When you run the query, TLC automatically re-sets the Support tab to the default setting of 'Normal Operation.')
5. In the Query tab, enter your search criteria or select a Saved Query.
6. To run the query, click Start. TLC presents the query results and saves the query-results file on your TLC Manager.
7. For further instructions, contact Tripwire Technical Support.