Using Audit Analysis

Audit analysis works directly with audit events stored in the DirX Audit Database as opposed to the Dashboard’s display of aggregated OLAP data cubes. This chapter describes the features of the Audit analysis page and how to:

  • Filter and search for audit events

  • Manage audit event filters

  • View the search results table returned by Audit analysis

  • Use the page navigator to page through multi-paged search results

  • View additional audit event details from the search results page

  • Export the search results table to an external file for reporting purposes

  • Send the search results table as an e-mail attachment

  • Schedule the generation of a search results report

About the Audit Analysis Main Page

The Audit analysis main page layout is shown in the following figure.

Audit Analysis Main Page
Figure 1. Audit Analysis Main Page

As shown in the figure, the Audit analysis page is composed of three elements:

  • A filter definition area that allows you to define the criteria to be used to search for and retrieve audit events and run search and export operations. The section "Filtering Audit Events" describes how to use this part of the page.

  • A search results display area that displays information in table format about the audit events returned by a search operation. The section "Viewing the Search Results" explains how to use this part of the page.

  • A page navigator above and below the search results display that allows you to navigate through multi-page results. The section "Using the Page Navigator" describes how to use this tool.

Filtering Audit Events

The filter definition area provides fields for specifying search conditions for retrieving audit events from the DirX Audit Database. The fields in the filter definition area allow you to search for audit events according to their attributes. As shown in the figure, the filter definition area contains the attributes described below. To prevent filter criteria from being applied to an attribute, leave it empty.

  • When - filters the audit events according to a relative or an absolute time period; for example, within the previous year (Previous Year), within the previous month (Previous Month), within the current month (Month to date) and so on. Selecting Any time means that a time period is not used as a filter. Selecting Custom Time allows you to set a specific start and end date in the From and To fields.

  • From and To - filters the audit events according to an absolute time period defined by a start and end date. Not visible if Any time is selected in the When field.

  • Source - filters the audit events according to the audit producer; for example, DirX Identity. If you are interested in events from all producers, select Any Source or leave the field empty.

  • Who - filters the audit events according to the user who initiated the operation.

  • What - filters the audit events according to the name of an object associated with the event; for example, users, accounts, roles, and so on.

  • Type - filters the audit events according to the operation type associated with the event; that is, how the operation was initiated (manually, on event, on schedule, on request, and so on).

  • Operation - filters the audit events according to the operation associated with the event; for example, Set Password, Add Assignment, Request Object Update, Add Object, Delete Object and so on.

  • What Type - filters the audit events according to the object type associated with the event; for example, user, account, account-to-group (memberships), and so on.

  • What Detail - filters the audit events according to a specific detail of an operation on an object type; for example, a specific user account or target system in a search for update operations made to accounts. A database full-text index is defined for this field. It searches the DirX Audit Database for all audit events whose What Detail information contains the word specified in the What Detail field.

The Advanced Search section contains two additional filter fields:

  • Property - filters the audit events according to a specific audit message or audit event dimension.

  • Value - filters the audit events according to the value of the dimension specified in Property.

For the Source, Type, Operation and What Type filter fields, you can choose between two component types used for value presentation: the Selection list component or the Autocomplete component. The component type is selected automatically according to the configuration. You can change the component manually by clicking image2 or image3, or you can switch the component for all defined fields at once by clicking the Suggestions checkbox.

When the Autocomplete component is used, you start entering values into filter fields, DirX Audit Manager Classic searches the database and returns a list of matching attribute values. You can simply select a value from this list.

If the Selection list component is used, you can select one of the preselected available values from the list. Values are loaded directly from the database, cached by the DirX Audit Manager Classic and periodically refreshed. You can manually refresh values by clicking Reload to be sure that you are working with actual data. For more details on customization, see the section “Customizing Audit Analysis” in the DirX Audit Customization Guide. Filter conditions are tagged with a "Starts with" comparison operator. For example, entering Account into the What Type field returns events associated with account and account-to-group memberships. You can also use the SQL wildcard character % to field input if you have not enabled the full-text search in the configuration and have no full-text index in the data DB; for example, specifying %B%der in the What Detail field returns all events associated with person names like Binder or Bader.

If you have enabled the full-text search in the configuration, you can search in the What Detail field for any string with a complete word from any place in the searched string. The percent wildcard (%) does not work for full-text functionality; however, if you are using the Microsoft SQL Server database, you can complete the searched phrase with an asterisk wildcard (*). Remember, only searching with complete words works with full-text enabled.

To run the search, click Search. DirX Audit Manager Classic populates the search results area with the audit events retrieved according to your search criteria; for more information on how to use this table, see "Viewing the Search Results".

If you want to clear all filter values, you can use Clear.

Click Report if you want to write the search results to a file; for more information, see "Exporting Audit Event Data".

Managing Audit Event Filters

You can name and save your filters into the configuration database for future use. Later, you can simply select a stored filter from a list and use it without the need to define it all over again.

Click Save As … to save a new filter to a specified name. You can also provide a description and the visibility. Check the Public option for public filters. Keep it unchecked for private filters. This action is only visible to users with the Audit Administrator role.

Click Save to update an existing filter.

You can select an existing filter from a list and then click Search to receive results.

If you want to clear all values in selected filter you can use Clear.

Click Manage Filters to show all available filters organized in the Private and Public tabs.

Viewing the Search Results

The search results display area displays information in table format about the audit events returned by a search operation. In a search results table returned on a search:

  • The page navigator is displayed at the top and bottom of the search results area. See the section "Using the Page Navigator" for details.

  • Each row represents one audit event returned from the DirX Audit Database according to the search criteria specified in the filter definition area.

  • Each column represents an attribute of an audit event. You can use the sort controls on a column to sort the column’s entries in ascending or descending order.

  • The image4 icon in the last column on the right allows you to display additional information about the audit event in a separate window. See the section "Viewing Audit Event Details" for more information.

  • The image5 icon in the last column on the right allows you to display a list of other events that correlate to a selected audit event. See the section "Viewing Related Audit Events" for more information.

Note that you may not see all additional information or the original message related to the audit event in the Event Details window when you purge this audit message data from the DirX Audit Database. You also may not see a complete list of related audit events that correlate with the selected audit event when you purge these complete audit messages, including message additions and the original message from the DirX Audit Database.

Using the Page Navigator

The page navigator is displayed above and below the search results display area and contains the following items:

  • Information about the number of items found.

  • Buttons for moving between pages:

    image6- displays the first page.

    image7- displays the last page.

    image8- performs a fast forward step.

    image9- performs a fast rewind step.

    image10- displays the next page.

    image11- displays the previous page.

  • A drop-down menu Items per page image12 in the upper navigator for changing the maximum number of items displayed per page.

Viewing Audit Event Details

The results table in Audit analysis displays only a subset of the available audit data. To view all the information, click the image4 icon in the last column on the right for the audit event. The following figure shows an example.

Event Detail Summary
Figure 2. Event Detail Summary

As shown in the example:

  • The Audit Event bar provides a summary of the audit event and the tags that are attached to it.
    In this example, the operation is an approval of the assignment of a role Trainer to a user Nowacek Norbertt by the manager of the role ("Privilege Manager", who is the user Costello Marcella) that was generated by a DirX Identity approval workflow activity. The zero suffix in "Activity='Approval by Privilege Managers'-0" indicates that Marcella Costello is the first approver calculated in an approval process. Activity names with incremental suffixes (for example, 1, 2, 3) indicate approvers in an approval escalation path. If there are, for example, several role assignments or several membership changes in a What element that represents a group or an account, the summary describes just one of the role assignments or the account-group memberships. A tag for this event is ACCEPT; in this example, the value ACCEPT_REJECT tells us that the request was rejected.

  • The Detail: section in the Audit Event bar provides a table that lists the attribute changes. Generally, it formats the “Detail(s)” section of a “What” object in the Audit Event Detail view. The table contains an Attribute column and Previous and/or Current columns depending on the type of operation. The Attribute column specifies the names of the changed attributes and the other columns define the previous and/or current value of the attributes. The Detail section is collapsible using the triangle icon on the right. For better readability, the section with the table is expanded by default. If the configured maximum number of attributes is exceeded, the section is automatically collapsed. For more details on customizing the maximum value, see the section “Customizing Audit Analysis” in the DirX Audit Customization Guide.

  • The Identification bar provides more information about the operation, such as when it occurred, its type, the UID of the audit message and the message that caused it, the operation category, and whether or not the operation was successful. It also shows the tags that are attached to the audit message; in this example, it is the tag ACTIVITY with the name of the activity within the approval workflow. See the chapter in the DirX Audit Administration Guide that describes the database schema for details.

  • The Where From bar identifies the application or component within the producing product suite that generated the audit event (the DirX Identity workflow service, in this example), its address and an optional list of other associated properties.

  • The Who bar identifies, for this example, the approver of the assignment (Marcella Costello, who is the privilege manager for the Trainer role). The Extensions area shows the list of identifying attributes of the user (label and value).

  • Each What bar identifies an object that participated in the operation. In this example, they identify the user who was assigned the Trainer role (Nowacek Norbertt), the user-to-role assignment and the workflow instance that generated the activity. The Extensions area shows the list of identifying attributes for the What object, and the Detail(s) area shows the list of modified attributes:
    modify operation, attribute name and value.

  • The Original Message bar contains the original message delivered from the audit source.

  • The Context Event bar provides a summary of related audit events. It contains information on the causing event and who requested and approved the operation.

The Audit Event and Context Event bars are expanded by default. Click on the bars to show and hide the details.

The events details also contain history entry links, which you can use to access the related history entry and view its details. These links are highlighted in blue. In the following example, Costello Marcella and Nowacek Norbertt represent links to history entries.

Events Detail - Links to History Entries
Figure 3. Events Detail - Links to History Entries

Note that you may not see all additional information or the original message related to the audit event in the Event Details window when you purge this audit message data from the DirX Audit Database.

Viewing Related Audit Events

To view the other audit events that are related to a selected event, click image5. DirX Audit Manager Classic searches for all audit events that are related to the selected event and presents them in a new page, as shown in the following example:

Related Audit Events
Figure 4. Related Audit Events

Related audit events include the parent (or causing) events, the child, the sibling events (children of the same parent) and all other indirectly-related events. They are presented in the same way as the Audit analysis. Click image4 to view additional information about the selected audit event. To return to the previous result list, click Back at the top right of the page.

Note that you may not see a complete list of related audit events that correlate with the selected audit event when you purge these complete audit messages, including message additions and the original message from the DirX Audit Database.

Exporting Audit Event Data

To export the audit event data presented in a search result table to a report-formatted file, click Report in the filter definition area. The DirX Audit Manager Classic displays the Report Events dialog that allows you to set the output format for the file as follows:

  • Template - selects the report template to be used for the file.
    DirX Audit Manager Classic converts the information in the search result table to the format specified in this field. Report templates are stored in the folder install_path/conf/defaults/reports.

  • Format - selects the file format to be used; for example, PDF, CSV, Microsoft Word formats (DOCX, RTF), and so on.

  • Encoding - selects the type of character encoding to be used; for example, UTF-8, Big5, EUC-JP, and so on.

  • Rows - the number of rows presented in a search result table used for the exported report.
    For a 0 value, all audit event data presented in a search result table are exported.

Click Export to continue the export procedure or click Cancel to dismiss it.

When you click Export, the Internet browser running the DirX Audit Manager Classic may display a dialog that prompts you to open the report file, save it, or cancel the operation.

Sending Search Results in E-mail

To send the audit event data as a report attached to an e-mail message, click Report in the filter definition area. The DirX Audit Manager Classic displays a dialog that allows you to set the output format for the file. See the section “Exporting Audit Event Data” for information on the settings in this dialog.

Click Send to continue the procedure or click Cancel to dismiss it.

When you click Send, a new dialog opens. Provide data for the To, Cc, Bcc, Subject and Body e-mail message fields. Click OK to send the message.

Scheduling Search Result Report Generation

To schedule a report generation, select a filter from a filter list (see "Managing Audit Event Filters"), and then click Report in the filter definition area. DirX Audit Manager Classic displays a dialog that allows you to set the output format for the file. See “Exporting Audit Event Data” for information on how to make the settings.

If you want to schedule report generation for audit event data searched without using an existing filter, you first must use Save As to save your setting as a new filter.

Click Schedule to continue the procedure or click Cancel to dismiss it.

When you click Schedule, the Add a new report to a report set dialog opens, where you can add a report to an existing report set or create a new one. For more information about how to configure reports and report sets, see the section "Using the Reports View".