In the Search tab of the Audit Logger, you can define a query of the log messages in the Audit Logger File Store.
Audit Logger queries perform the following tasks:
Displaying Audit Logger Data in a Graph
Generating an Audit Logger Report
Sending Log Messages to an Event-Management Database
Exporting Log Messages from the Audit Logger
At any time, you can save the properties of a query for future use.
To create a Saved Query, see Saving an Audit Logger Query.
To define a schedule for a Saved Query that generates an Audit Logger Report, see Working with the Task Scheduler.
To open the Search tab:
1. | In the side bar, select Events >Audit Logger. |
2. | In the Audit Logger, select the Query tab. |
The Search tab includes two sub-tabs:
In the Query Criteria tab, you can define, save, and run Audit Logger queries. Table 79 describes the fields presented in the Query Criteria tab by default.
The Query History tab provides a history of all queries run in the Search tab (see Table 80). To run one of these queries, double-click the query. TLC opens the Query Criteria tab (see Table 79) and populates the tab's fields with the query's criteria.
Tip |
Log messages in the Audit Logger cache are excluded from Audit Logger queries. To flush the Audit Logger cache, see Working with the Audit Logger Cache. |
---|
Field |
Description |
---|---|
Query name |
(For Saved Queries only) The name of the query. |
Query ID |
(For Saved Queries only) A unique ID for the query. |
Personal use only |
(For Saved Queries only) If enabled, the query is not available to other TLC users. |
Description |
(For Saved Queries only) A description of the query. |
Queried Audit Logger |
The Audit Logger to be queried. |
Query group |
(For Saved Queries only) Specifies the location in which to save the query in the tree of the side bar in the Query Criteria tab. You can either select a Tripwire-defined location or enter a custom path. |
Output |
Indicates the type of query to be run on the Audit Logger File Store. With the exception of the List Events - Raw query type, TLC normalizes the log messages identified by the query criteria. To normalize a log message, TLC uses the Normalization Rules assigned to each Asset Group containing the Monitored Asset that represents the message's Log Source (see Assigning Normalization Rules to Asset Groups), as well as any rules assigned to the Monitored Asset itself (see Table 50). List Events - Raw. Presents log messages in a table (see Searching for Log Messages). List Events - Processed. Presents Normalized Messages in a table (see Searching for Log Messages). Graph Events - Processed. Presents a chart of query results (see Displaying Audit Logger Data in a Graph). Report. Compiles a report on the query results (see Generating an Audit Logger Report). Database. Saves Normalized Messages as Events in an Event-Management Database (see Sending Log Messages to an Event-Management Database). File. Saves Normalized Messages as Events in a zipped text file (see Exporting Log Messages from the Audit Logger). |
Classification Tags |
Limits the query to log messages with a selected Classification Tag or Tag Set (see How does Classification work?). |
Terms |
Defines a query command for terms in the Audit Logger File Store. For special characters, see Table 81. Tips: To optimize performance, enter the most unique terms first. For example, "jhammond user failed" would be faster than "user failed jhammond." |
Monitored Assets |
Limits the query to an Asset Group, Log Source type, or specific Monitored Asset(s). To limit the query to an Asset Group, select Asset Group from the first drop-down and the Asset Group from the second drop-down. To limit the query to a type of Log Source, select Log Source type from the drop-down and the type from the second drop-down. If 'Separate Data by Location' is enabled in the Audit Logger tab of the Manager properties dialog (see Configuring Audit Logger Settings), you can also select a Location to limit the query to Log Sources in that Location. To limit the query to specific Monitored Assets, select IP address or Hostname from the first drop-down and the Asset's Log Source from the second drop-down. The second drop-down supports the use of the * and ? wildcard characters (see Table 81). To add another Monitored Asset, select the Asset from the second drop-down or manually add IP addresses or host names to the field. Multiple Assets must be separated by a comma. For example: 192.168.129.1,192.168.129.2 If 'Separate Data by Location' is enabled in the Audit Logger tab of the Manager properties dialog (see Configuring Audit Logger Settings), you can limit the query to Monitored Assets in a specific Location (e.g. Miami\192.168.129.1). |
Events Per Query |
Limits the number of log messages returned by the query. To see all query results, select ALL. Note: If you select one of the following options from the Output drop-down, TLC will limit the query to 100,000 log messages for better readability: List Events - Raw List Events - Processed Graph Events - Processed |
Date and Time |
Limits the query to log messages created in a specified time period. To define a time period relative to the time of the query: 1. Select Newer/Older/Previous. 2. In the Time Span settings, select Newer than or Older than, and then specify the number of Minutes, Hours, Days, or Months. For example, if the query runs at 9/20/2013 10:30AM and you enter Newer than 3 Days, TLC would limit the query to log messages created between 9/17/2013 10:30AM and 9/20/2013 10:30AM. To define a time period consisting of a specified number of whole Minutes, Hours, Days, or Months before the time of the query: 1. Select Newer/Older/Previous. 2. In the Time Span settings, select Previous and then specify the number of Minutes, Hours, Days, or Months. For example, if the query runs on 9/20/2013 (any time) and you enter Previous 3 Days, TLC would limit the query to log messages created between 9/17/2013 12:00AM and 9/19/2013 11:59PM. To define a custom time period: 1. Select Start & End Time. 2. Enter a Start Time and then specify the number of Minutes, Hours, Days, or Months in the Duration field. (When you enter a Duration, TLC automatically updates the End Time field.) For example, if you enter a Start Time of 08/20/2013 4:00:00 PM and a Duration of 3 Days, TLC would limit the query to log messages created between 08/20/2013 04:00:00 PM and 08/23/2013 03:59:59 PM. |
Column |
Description |
---|---|
Timestamp |
The date and time when a query was run. |
Query |
Presents the type, command, and criteria for each query. |
Character |
Description |
Example |
---|---|---|
space |
An AND operator |
Write Data |
| |
An OR operator |
(Write | Data) |
? |
Wildcard for a single character |
Wr?te |
* |
Wildcard for zero (0) or more characters at the end of a term |
Wri* |
|| |
Separates multiple queries |
Permit 192.168.0.1 || Deny 192.168.0.2 An example of a nested query: (Permit | Allow) 192.168.0.1 || (Deny | Drop) 192.168.0.2 |
" " |
A literal value |
"Failed Login" |