Chat now with support
Chat mit Support

Change Auditor 7.6 - Web Client User Guide

Create custom searches

You can create custom search definitions to audit the configuration changes that need to be tracked in your environment. You will use the Search Properties tabs, located across the bottom of the Searches page, to define new custom searches or edit existing search definitions.

* 
NOTE: The following procedure provides the general steps involved in creating a custom search using the web client. Refer to Search Properties tabs for more information on specifying search criteria on the individual tabs.
To create a new search:
1
Open the Searches page.
2
In the Folders pane (left pane), expand and select the folder where you want to save your search definition.
Selecting the Private folder will create a search that only you can run and view; whereas selecting the Shared folder will create a search definition which can be run and viewed by all Change Auditor users.
3
Click New Search at the top of the Searches page to activate the Search Properties tabs.
4
On the Search Properties tabs, enter the search criteria to be used. The following table provides a brief description of the tabs available and how to define criteria on each of these tabs.
* 
NOTE: When you specify criteria on more than one Search Properties tab (e.g. Who, What and Where tabs), Change Auditor first evaluates each individual tab’s criteria and then chains the individual tab’s criteria together using the ‘AND’ operator, returning only those events that meet all of the search properties specified on the different tabs.
 
Table 9. Search Properties tabs
Tab
Description
How to add criteria
Info

Name your search
1
Enter name of search
2
Optionally enter description
3
Optionally select Show as Widget check box
Who

Search for events generated by a specific user, computer or group.

By default, Change Auditor searches for events generated by all users, computers and groups.
1
Click Add to display Add Users, Computers, or Groups dialog.
2
On Select User tab, use Browse or Search page to locate and select the user, computer or group
3
Click Add to add criteria to selection list
4
Click OK to save selection and close dialog
NOTE: Use the Add Wildcard tab to specify a wildcard expression to search for users or groups.
NOTE: Use the Add With Events tab to select a user, computer or group that already has an event associated with it in the database.
What

Search for events based on subsystem, event class, object class, severity or result.

By default, all entities are included in a new search definition.
1
Expand Add and select an option from the drop-down menu
2
On the Add tab, specify or select the ‘what’ criteria (depending on dialog):
Event Class - Add Facilities or Event Classes dialog
Object Class - Add Object Classes dialog
Severity - Add Severities dialog
Result - Add Results dialog
Active Directory - Add Active Directory Container dialog
Microsoft Entra - Add Microsoft Entra dialog.
AD Query - Add Active Directory Container dialog
ADAM (AD LDS) - Add ADAM (AD LDS) Container dialog
Exchange - Add Exchange Container dialog
Microsoft 365 Exchange Online - Microsoft 365 Exchange Online dialog
File System - Add File System Path dialog
Group Policy - Add Group Policy Container dialog
Local Account - Add Local Account dialog
Logon Activity - Add Logons dialog
Registry - Add Registry Key dialog
Service - Add Service dialog
SharePoint - Add SharePoint Path dialog
SQL - Add SQL Instance dialog
SQL Data Level - Add SQL Data Level object
3
Click Add to add criteria to selection list
4
Click OK to save selection and close dialog
NOTE: Use the Add With Events tab (instead of the Add tab) on these dialogs to select from a list of objects that already have an event associated with it in the database.
Where

Search for events captured by a specific agent or within a specific domain or site.

By default, all agents will be included in a new search.
1
Click Add to display the Add Agents, Domains, Sites dialog
2
On the Select Object tab, use the Browse or Search page to locate and select an agent, domain or site
3
Click Add to add criteria to selection list
4
Click OK to save selection and close dialog
NOTE: Use the Add Agents tab to select an agent from a list.
NOTE: Use the Add Wildcard tab to specify a wildcard expression to search for domains, sites or agents.
NOTE: Use the Add With Events tab to select agents, domains or sites that already have an event associated with it in the database.
When

Search for events that occurred during a specific date/time range.

By default, new searches will include the events captured this week.
1
In Date Interval pane, select the date interval to be used and use controls to specify date interval
2
Optionally use the Time Interval controls to specify a start and end time
Origin

Search for events originating from a specific workstation or server.

By default, Change Auditor searches for all events regardless of where they originated.
1
Click Add to display the Add Origin dialog.
2
On the Add Wilcard tab, enter a wildcard expression to search for a workstation or server.
3
Click Add to add criteria to selection list
4
Click OK to save selection and close dialog
NOTE: Use the Add With Events tab to select an originating workstation/server that already has an event associated with it in the database.
5
If you want to be notified when an event is captured as a result of this custom search, open the Alert tab to enable and define how and where to dispatch alerts. See Alert tab for more information.
6
If you want to send reports for this query, open the Report tab to enable reporting and define the report recipients. See Report tab for more information.
7
Once you have defined the search criteria to be used, you can save and/or run the search query, using one of the following tool bar buttons at the top of most Search Properties tabs:
Save: Saves the search definition without running it.
Save As: Allows you to save the search definition to a different location within the folder hierarchy or using a different name.
Run: Saves and runs the search. A new Search Results page will be added to the web client populated with the events that met the search criteria defined.

Search Properties tabs

Use the Search Properties tabs to view or define search criteria. The following sections provide a description of the fields/controls on each tab:
Info tab: Allows you to enter a name and description for the search.
Who Tab: Allows you to search for events generated by a specific user, computer or group.
What tab: Allows you to search for events based on subsystem, event class, object class, severity or result.
Where tab: Allows you to search for events captured by a specific agent, domain or site.
When tab: Allows you to search for events that occurred within a specific date/time range.
Origin tab: Allows you to search for events that originated from a specific workstation or server.
Alert tab: Allows you to enable alerts for this query and define how and where to dispatch alerts.
Report tab: Allows you to enable reporting for this query and define the report recipients.
Layout tab - Allows you to define the data (columns) to be retrieved from the database and the sort order for displaying the retrieved data.

In addition, the following tabs can be displayed by selecting the appropriate check box on the Searches tab of the Client Settings dialog:
SQL tab - Displays the SQL script used to create the selected search definition.
XML tab - Displays the XML representation of the search criteria.
* 
NOTE: To hide the Search Properties tabs, click the down arrow on the divider bar between the Searches List and Search Properties tabs. To show these tabs again, click the up arrow on the divider bar at the bottom of the screen.

Info tab

Use the Info tab to view or enter the name and description of a search definition. In addition, you can specify to add this search definition as a widget on the Overview page (Custom Views mode) or a Shared Overview.

Search Name
Displays the name of the selected search.
When creating a new search, place your cursor in this text box and enter a descriptive name for the search.
Search Description
Displays the description of the selected search.
To add a description to a new search, place your cursor in this text box and enter a brief description for the search.
Show as Widget
Select this check box to add this query as a widget on the widgets list on the Overview (Custom Views mode) and Shared Overviews pages.
Search Limit
This check box is checked by default and indicates the maximum number of records to be retrieved and displayed by the client. By default, the maximum of 50,000 records will be returned from the database during a single request. Use the arrow controls to change the search limit for the selected search.
 
* 
NOTE: Clearing this check box removes the search limitation returning the events generated over for the last year, which may increase both client memory and wait time if expected search results are over 100,000. Therefore, it is highly recommended that you leave this check box checked and use the defined search limit.

Who Tab

Use the Who tab to view or define the users, computers and/or groups to be included in (or excluded from) the search definition. When multiple ‘who’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate events, returning events for activity performed by any of the users, computers or groups listed.

* 
NOTE: You can add a Group to a search to find all events made by the members of that group. Change Auditor must expand and store the membership of the group before all expected events are returned when the search is executed. When the search is saved, Change Auditor will expand the Group if it has not already been expanded. This may take several minutes, depending on your environment.
* 
NOTE: Activity performed by any accounts specified in an Excluded Accounts template will not be captured for the agents to which this template is assigned. Thus, Change Auditor will not return any events for these excluded accounts even if you specify them in the ‘who’ search criteria.

The Who tab contains the following information/controls:

Runtime Prompt
Select this check box to prompt for the ‘who’ criteria when this search is executed. That is, when you select Run, the Add Users, Computers, or Groups dialog is displayed allowing you to locate and select the users, computers, or groups to search.
* 
NOTE: When this check box is checked, the Add tool bar button will be deactivated.
* 
NOTE: You can not enable alerting for search definitions that use the Runtime Prompt option.
Include Event Source Initiator
If you are running Active Roles Server or GPOADmin and want to include events generated by Active Roles or GPOADmin in the search, select this check box. Selecting this check box instructs Change Auditor to retrieve all events made by the specified user account, including those initiated by Active Roles and GPOADmin.
* 
NOTE: An additional column (Initiator UserName) is added to the Search Results grid to display the user account that initiated the change using Active Roles or GPOADmin.
For more information, see the Active Roles Server Integration and GPOADmin Integration appendices in the Change Auditor Installation Guide.
Exclude the Following Selection(s)
Select this check box to specify the users, computers or groups to be excluded from the search. That is, Change Auditor is to search on all users, groups and computers except those listed.
Who list
By default, all users, computers and groups will be included in a new search definition and therefore this list will be empty.
Once criteria is selected, the Who list box will contain the individual users, computers and/or groups to be included in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked).
Add Users, Computers, or Groups dialog

Clicking Add on the Who tab displays the Add Users, Computers, or Groups dialog allowing you to select the user, computer or group to be included in a custom search. Use the tabbed pages on this dialog as described below.

Table 10. Add Users, Computers, or Groups dialog
Tabs
How to add criteria

Select User
To search for events generated by a specific directory object:
1
Use the Browse or Search page to search your environment to locate and select the user, computer or group to be included.
2
Click Add to add criteria to the selection list
3
Repeat to include each additional directory object
4
Click OK to save your selections and close the dialog.

Add Wildcard
To use a wildcard expression to specify a user or group:
1
Select the comparison operator to be used: Like or Not Like
2
In the text box, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters. For example, LIKE *admin* will find all users with the character string ‘admin’ anywhere in the name.
3
By default, the wildcard expression will be used to search for a user. To search for a group, select the Group option.
4
Click Add to add criteria to the selection list.
5
Click OK to save your selections and close the dialog

Add With Events
To search for events generated by a directory object that already has an event in the database:
1
Select one or more directory objects from the list.
2
Click Add button to add criteria to the selection list.
3
Click OK to save your selections and close the dialog.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen