Applying search criteria
Use the query builder in the Activity Center to add and remove data from your activity audit log report to get the information you need.
By default, an activity audit log report includes all activity occurring within the last 24 hours. However, using the query tiles provided you can specify search criteria to retrieve specific information from the activity audit log. The search criteria available includes:
- Activity category (to narrow parameters and event details)
- Time frame
- User
- Asset
- Account
- Search keyword or value: For sessions, you can search by keyword or value.
To apply search criteria to the audit log
Activity Category and Time frame are required to generate a report. Other search criteria is optional and allows you to narrow the report to the exact parameters provided.
- From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
-
I would like to see defaults to All Activity. Click the tile to limit the report to a particular type of activity and select the activity category to be included in the report.
-
Occurring within the defaults to Last 24 Hours. To specify a different time frame, click the tile and select the time frame to be included in the report. If using the Custom option, specify the custom date and time range.
- Click the Add button to further filter results. The options to add are based on the selections you made and may include user, asset, or account. When you add filters, additional tiles display such as: involving the asset.
- If you select Add User, you can specify one user. A tile with the user displays.
- If you select Add Asset, you can select an asset. A new tile with the asset displays. When an account is specified, the Add Asset option is not available.
- If you select select Add Account, you can select the account. When an asset is specified, the Add Account option is not available.
-
To search session activity for a specific keyword or value.
- Change the activity category (I would like to see) to Session Specific Activity (or In-Session Activity).
- Click the Add button and select Add Search value.
-
In the Enter a Search Value dialog, enter the keyword or value (e.g., regedit) and click OK.
An additional tile appears listing the keyword or value specified. If you later change the activity category, the keyword tile will be dimmed indicating it will not be included in the query.
-
To remove or edit your selections, use the icons in the upper-right corner of a query tile:
-
Clear: Resets the value back to the default. Clear is only available for Activity category and Time frame.
- Delete: Removes search criteria tiles you added.
-
Edit: Displays the corresponding dialog allowing you to modify your selection. You can also click a query tile to edit your selection.
Saving search criteria
You can save the current search criteria defined to be used at a later time to generate an activity audit log report. You can save the current search criteria from the main Activity Center view (query builder page) or from the results view.
To save the current search criteria
- From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
- Specify the search criteria to be used to generate the desired report. For more information, see Applying search criteria.
- Click Save.
-
In the Save Search dialog, enter the following information:
- Name: Enter a name for the search.
- Description: Optionally, enter descriptive text to describe the search.
- Click OK.
-
To run a previously saved search, click Open.
-
Select a search from the list. (The criteria for the selected search is displayed in the right pane.)
-
Click Open.
The query tiles for the selected search appear in the Activity Center page, where you can then select Run to generate the report.
Related Topics
Editing or deleting a saved search or scheduled report
Generating an activity audit log report
To generate an activity audit log report
- From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
-
Use the query tiles to specify the content of the report. By default the audit log returns all activity occurring within the last 24 hours. For more information, see Applying search criteria.
-
Click Run.
The information displayed by default depends on the type of activity report generated. (You can change the columns displayed by selecting the Columns in the upper right of the window.)
For example, the "All Activity" report displays the following information for each event.
Actions once a report is generated
Once a report is generated, you can use the buttons above the grid as described below.
- Time frames: To rerun the report using a different time frame, select one of the following links, specify the time range, then click Run.
- Last 24 Hours (default)
- Last 7 Days
- Last 30 Days
- Last 60 Days
- Last 90 Days
-
Custom
- Workflow: Select an access request event and click Workflow to audit the transactions that occurred during the request's workflow from request to approval to review. For session requests, you can also replay a recorded session or live session from the Request Workflow dialog. For more information, see Replaying a session.
- Run: Select to generate the report using the specified time frame.
- Export: Right-click to select Export as CSV or Export as JSON to the location of your choice. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts. Once the report is exported, you can convert timestamps to local time, if necessary. For more information, see Converting time stamps.
- Schedule: Select to schedule the generation of the activity audit log report. For more information, see Scheduling an activity audit log report.
- Save: Select to save the current search criteria to reuse the search later. For more information, see Saving search criteria.
- Column: Select to display a list of columns that can be displayed in the grid. Select the check box for data to be included in the report. Clear the check box for data to be excluded from the report. The additional columns available depend on the type of activity included in the report.
Scheduling an activity audit log report
Safeguard for Privileged Passwords allows you to schedule the generation of an activity audit log report, which will then be sent via email. The emailed report will be an attachment in the selected .csv or .json format.
To schedule an activity audit log report
- From the Safeguard for Privileged Passwords desktop Home page, select Activity Center.
- Specify the search criteria to be used to generate the desired report. For more information, see Applying search criteria.
- Click Schedule.
- If the Configure Email dialog displays, click Configure Email to add your email in the My Account dialog. (The email server must be configured in Safeguard for emails to be sent.)
- In the Schedule Report dialog, enter the following information:
- Name: Enter a name for the report.
- Description: Optionally, enter descriptive text for the report.
-
Send To: Read-only field displaying the email address of the user currently logged into the Safeguard for Privileged Passwords client. This field is required. If this field is blank, you must set your email address in My Account. For more information, see User information and log out (desktop client).
- Select a Report Format, which can be CSV or JSON. Different information may be returned based on whether you select CSV or JSON. For example, JSON includes details of accounts discovered and CSV includes only the count of accounts.
-
To set the schedule, select Run Every to run the job per the run details you enter. (If you deselect Run Every, the schedule details are lost.)
-
Configure the following.
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
- Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
-
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
-
Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.
-
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
-
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
-
Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
- Time Zone: Select the time zone.
- Click Schedule Report.