SPS has a search interface for browsing the audit trails. This connection database also contains the various meta-information about connections and connection-requests. The search queries can include only alphanumerical characters.
To access the search interface, navigate to Search > Search. Only users with the following privileges can access the Search page:
Members of groups who are configured as Authorizers with the Audit or Audit&Authorize permission set in the Access Control field of a connection policy. These users can access only the audit trails of the respective connections.
For more information on configuring authorizers for a connection, see Configuring four-eyes authorization.
Members of groups who have the Search privilege set.
Assigning the Search privilege to a user on the AAA page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.
For more information on configuring user rights, see User management and access control.
The admin user.
Figure 199: Search > Search — Browse the connections database
The bars display the number of results in the selected interval. Use the and icons to zoom, and the arrows to display the previous or the next intervals. To explicitly select a date, select Jump to and set the date in the calendar. You can change the length of the displayed interval with the Scale option.
Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents. Click a bar to display the entries of that period in the table. Use Shift+Click to select multiple bars.
This feature is available only if auditing and content indexing was requested for the connection. For details, see Configuring the internal indexer.
To search in the content of the indexed audit trails, enter your search keywords in the Screen content field, and click Filter. Search is case insensitive. You can use complex expressions and boolean operators. For more information, see Using the content search.
Connection metadata is displayed in customizable columns that you can filter for any parameter, or a combination of parameters. To filter the list of search results, enter the filter expression in the input field of the appropriate column, and press Enter, or click on an entry in the table.
For the description of the available columns, see Connection metadata.
For information on using and saving filters, see Using and managing search filters.
When you use filters, the bars display the statistics of the filtered results.
Filtering displays also partial matches. You can use the icon to perform an exact search, and the icon for inverse filtering ("does not include"). To clear filters from a column, click .
To restore the original table, click Clear conditions.
Use the drop-down menu of the Protocol column to quickly filter the list for a single protocol.
To export the search results as a comma-separated text file, select Export format > CSV, and click Export.
For instructions on displaying statistics about your search results, see Displaying statistics on search results.
To display the summary of a connection, click , or use the shortcuts to view the corresponding connection details (for example, Events). The summary is displayed in the connection details pop-up window. For more information, see Connection details.
To download the audit trail of a session, click the icon in the Audit-trail column.