Report Criteria section
The Report Criteria section of the Audit Trail report determines what the report will contain, what time frame it will cover, and how it will be run.
Search for text box
The Search for box accepts a free-form text entry. This limits the report to audit records that contain the specified term. The term can be any:
-
User host IP address
-
Module IP address (for Enterprise NetProfiler modules)
-
User name
-
Details (any value that appears in the Details column of the report)
The Search for box requires only enough text to uniquely identify the term.
Time frame
You can specify the time frame of the report relative to the current time or as an absolute time interval.
Relative to the current time
-
Starting – Specify the most recent number of minutes, hours, days, weeks, months or years that the report is to cover, ending now. For example, if you specify the Starting value as 1 week ago, then the time frame of the report will start at this time last week and end now. If you specify 1 year ago, the time frame will start at this time on this date last year and end now.
-
Previous – Specify the most recently ended full minute, hour, day, week, month or year before the current minute, hour, day, week, month or year, respectively. For example, if the current time is 10:17 AM Wednesday and you specify the Previous value as 1 hour, then the time frame of the report will start at 9:00 AM and end at 10:00 AM today. If you specify the previous 1 week, the time frame will start at 12:00 AM Monday of last week and end at 12:00 AM Monday of this week. If you specify the previous year, then the time frame will start at 12:00 AM, January 1st of last year and end at 12:00 AM, January 1st of this year.
As an absolute time interval
From/To – Specify the time frame either by entering dates and times manually or by:
-
Clicking the date to display a calendar tool, then choosing a date from the calendar.
-
Clicking a time to display a list box of times, then choosing a time from the list.
The time frame starts at the "From" time and ends at the "To" time.
Additional Activity Criteria
This section further limits the report to activities or events caused by a user specified in the Username box and to types and subtypes of activities.
Username
The Username can be web interface user account name or shell account user name. Activities caused by the system itself (not originated by a user) are reported with the user name system.
Placing a user name in the Username box restricts the report to just those activities or events that the user caused. This is different from placing a user account name in the Search for box. For example, if you put the user name "jdoe" in the Search for box, the report could include the audit record of an administrator editing jdoe's user account profile. In that case the change was made by the administrator, but it will be reported because it involved jdoe.
Activity Type and Subtype
The Activity Type field limits the report to a major category of activity. The Subtype field limits the report to only a specific sub-category of activities within the selected Activity Type. By default, three System activity subtypes are disabled:
-
Encryption and Decryption
-
Hash Operation
-
Command Execution
These activity subtypes are considered to be the most chatty. When the FIPS Compatible Cryptography or Strict Security mode are enabled on the Administration > Appliance Security > Security Compliance page, logging of all activity types and subtypes is enabled. However, logging of these three subtypes can be switched off after the appliance has been booted in the FIPS Compatible Cryptography or Strict Security mode.
Activity type and subtype details
Run now
Click Run now to run the report and display the results as soon as they are available.
Run in background
Clicking Run in background opens a window for you to specify the title of the report and select options for saving and emailing the report. It then runs the report in the background. When the report is ready, it is saved and listed on the Reports > Saved Reports page.
If an email server has been specified on the Administration > General Settings page, you can enter a list of email addresses to which the report will be mailed. You can also enter a message to go into the email and specify if the report is to be attached as an HTML, PDF or Comma-Separated-Value file.
Audit Settings
This feature determines what types and subtypes of events are logged and for how long. Note that this affects all audit reports because activities that are not logged cannot be reported.
The default setting is to log all audit events for 90 days. To reduce the number of activities that are logged, select Log custom set of audit events and select the events that are to be logged.
When you click OK the settings are applied to future audit logging. Existing logs are not deleted until they reach the age specified in the Pruning Settings section.
Activity type and subtype details