The Info tab contains the following information and controls:
When this option is checked, an extra field, Next Refresh, is added to the heading area of the Search Results grid. |
1 |
Place your cursor in the Search Name text box and enter a descriptive name for the search. |
2 |
Place your cursor in the Search Description text box and enter a brief description of the search. |
The Search Limit field specifies the maximum number of records to retrieve and display for the selected search. By default, a maximum of 50,000 records are returned from the database during a single request.
1 |
To restrict the search results to a specific number of records, ensure that the Search Limit check box is checked. |
The Refresh Interval field specifies how often to retrieve and redisplay updated information.
1 |
Select the Refresh Interval check box to enable this feature and activate the field to the right of this field. |
The Who tab contains the following information and controls:
Select this check box to prompt for the ‘who’ criteria when this search runs. That is, when you select Run, the Select Active Directory Object dialog is displayed allowing you to locate and select the users, computers, or groups to search.d | |
Contains the individual users, computers and groups to include in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked). |
1 |
On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list. |
3 |
Click Add to add it to your selection list. |
4 |
After selecting one or more directory objects, click Select to save your selection and close the dialog. |
NOTE: You can use Add with Events (instead of Add) to select a user, computer, or group that already has an audit event associated with it in the database. The accounts available for selection are based on the ‘when’ clause (When tab) and the search limit (Info tab) specified for the current search.
Use this to search for events that are tied to users who have been removed from Active Directory. |
TIP: If you are running Active Roles or GPOADmin and want to include events generated by Active Roles or GPOADmin in the search, select the Include Event Source Initiator check box. For more information, see the Active Roles Integration or GPOADmin Integration sections in the Change Auditor Installation Guide. |
1 |
• |
• |
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups. |
3 |
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘who’ list. |
• |
• |
|
1 |
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to select an entity that already has an event in the database. |
2 |
On the Add Facilities or Event Classes dialog, select a single event, click Add, and select Add This Event or Add All Events in Facility. |
4 |
• |
If the event has not been added to the Selections list box, click Add to add the event to the selection list. |
• |
If the event was previously added to the Selections list box, click Update Restriction to update the restrictions for the event. |
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list. However, the restrictions pane and the Add | Add All Events in Facility command are not available when multiple event classes are selected. |
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event classes and facilities except those listed in the ‘what’ list. |
1 |
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add | Subsystem | Local Account) to select an entity that already has an event in the database. |
• |
All Objects - select this option to include all objects |
• |
This Object - select this option to include individual objects |
3 |
If you selected This Object, the data grid, which displays a list of all the users and groups in the local SAM databases on the selected Member Server, and associated buttons are enabled. |
4 |
To add an account, select the account in the data grid and click Add to add it to the selection list at the bottom of the dialog. Repeat to add more accounts. |
5 |
To replace an account in the selection list, select the ‘new’ account in the data grid, select the ‘old’ account in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ account. |
6 |
To select a local account on a different computer, click Browse to the right of the Account field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
7 |
Click Select to save your selection and close the dialog. |
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events generated by all local accounts except those listed in the ‘what’ list. |
NOTE: Registry auditing is only available when you have applied custom Registry Auditing templates that define the registry changes to be audited. See Registry Auditing for more information about capturing registry events. |
1 |
NOTE: You can use Add with Events | Subsystem | Registry (instead of Add | Subsystem | Registry) to select an entity that already has an event in the database. |
• |
All Registry Keys — include all registry keys |
• |
This Object — include only the selected objects |
• |
This Object and Child Objects Only — include the selected objects and its direct child objects |
• |
This Object and All Child Objects — include the selected objects and all subordinate objects (in all levels) |
3 |
By default, All Actions is selected meaning that all the registry actions listed are included in the search definition. However, you can clear the All Actions option and select individual actions for auditing. |
• |
All Actions — include all the actions. When this option is selected, all the other options are disabled. (Default) |
• |
Add Value — include when a new value is added to the selected registry key. |
• |
Delete Value — include when a registry key value is removed. |
• |
Modify Value — include when a registry key value is modified. |
• |
Add Key — include when a new registry key is added. |
• |
Delete Key — include when a registry key is removed. |
4 |
When a scope option other than All Registry Keys is selected, the registry key hierarchy is enabled allowing you to locate and select an individual registry key. |
NOTE: If you selected Add With Events, the registry key hierarchy pane is replaced with a data grid listing the registry keys that have an event associated with it in the database. |
5 |
To replace a registry key in the selection list, select the ‘new’ registry key in the hierarchy, select the ‘old’ key in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ registry key. |
6 |
To select a registry key on a different computer, click Browse to the right of the Path field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
7 |
Click Select to save your selection and close the dialog. |
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all registry keys except those listed in the ‘what’ list. |
NOTE: Service auditing is only available when you have applied custom Service Auditing templates that define the services to audit. See Service Auditing for more information about capturing service events. |
1 |
NOTE: You can use Add with Events | Subsystem | Service (instead of Add | Subsystem | Service) to select an entity that already has an event in the database. |
2 |
On the Add Service dialog, select one or more services from the list at the top of the dialog and click Add to move them to the selection list box at the bottom of the page. |
3 |
To select services on a different computer, click Browse to the right of the You are viewing services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
4 |
Click Select to save your selection and close the dialog. |
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all services except those listed in the ‘what’ list. |
1 |
NOTE: You can use Add with Events | Severity (instead of Add | Severity) to select a severity that already has an event associated with it in the database. |
2 |
On the Add Severities dialog, select one or more severity levels and click Add to add them to the selection list box at the bottom of the dialog. |
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events except those assigned a severity level that is listed in the ‘what’ list. |
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.
|
1 |
NOTE: You can use Add with Events | Result (instead of Add | Result) to select an entity that already has an event associated with it in the database. |
2 |
On the Add Results dialog, select one or more results (none, success, protected or failed) and use Add to add them to the selected list box at the bottom of the dialog. |
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events except those with the selected result. |
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.
|
The Where tab contains the following information and controls:
Select this check box to prompt for the ‘where’ criteria whenever the search is run. That is, when Run is selected, the Select Active Directory Objects dialog is displayed allowing you to locate and select the agents, domains, or sites to include in the search definition. | |
By default, all agents are included in a new search and therefore this list box is initially empty. Once criteria is selected, this list box contains the agents, domains, sites, and server type (if specified) to include in the search (or exclude from the search if the Exclude the Following Selection(s) option is checked). |
1 |
3 |
Click Add to add your selection to the selection list box at the bottom of the page. |
NOTE: You can use Add With Events (instead of Add) to select an agent, domain, or site which already has an event associated with it in the database. |
1 |
• |
• |
3 |
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘where’ list. |
1 |
3 |
Click OK to close the dialog and add the server type to the ‘Where’ list. |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center