16.1. Searching audit trails — the PSM connection database

PSM has a search interface for browsing the audit trails. This connection database also contains the various meta-information about connections and connection-requests. The search queries can include only alphanumerical characters.

To access the search interface, navigate to Search > Search. Only users with the following privileges can access the Search page:

  • Members of groups who are configured as Authorizers with the Audit or Audit&Authorize permission set in the Access Control field of a connection policy. These users can access only the audit trails of the respective connections.

    For more information on configuring authorizers for a connection, see Procedure 18.3.1, Configuring four-eyes authorization.

  • Members of groups who have the Search privilege set.

    Assigning the Search privilege to a user on the AAA page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.

    For more information on configuring user rights, see Section 5.7, Managing user rights and usergroups.

  • The admin user.

Figure 16.1. Search > Search — Browse the connections database

Search > Search — Browse the connections database

Changing the time interval: 

The bars display the number of results in the selected interval. Use the and icons to zoom, and the arrows to display the previous or the next intervals. To explicitly select a date, select Jump to and set the date in the calendar. You can change the length of the displayed interval with the Scale option.

Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents. Click a bar to display the entries of that period in the table. Use Shift+Click to select multiple bars.

Searching connections: 

Note

This feature is available only if auditing and content indexing was requested for the connection. For details, see Procedure 15.1, Configuring the internal indexer.

To search in the content of the indexed audit trails, enter your search keywords in the Screen content field, and click Filter. Search is case insensitive. You can use complex expressions and boolean operators. For more information, see Section 16.1.4, Using the content search.

Filtering search results: 

Connection metadata is displayed in customizable columns that you can filter for any parameter, or a combination of parameters. To filter the list of search results, enter the filter expression in the input field of the appropriate column, and press Enter, or click on an entry in the table.

For the description of the available columns, see Section 16.1.5, Connection metadata.

For information on using and saving filters, see Section 16.1.6, Using and managing search filters.

Note

When you use filters, the bars display the statistics of the filtered results.

Filtering displays also partial matches. You can use the icon to perform an exact search, and the icon for inverse filtering ("does not include"). To clear filters from a column, click .

To restore the original table, click Clear conditions.

Tip

Use the drop-down menu of the Protocol column to quickly filter the list for a single protocol.

Exporting the search results: 

To process the search results later with the Audit Player application, the search results can be exported in a special format. Select Export format > Audit Player, and click Export. When you open this file in the Audit Player application, AP will download the audit trails corresponding to the search results.

To export the search results as a comma-separated text file, select Export format > CSV, and click Export.

For instructions on displaying statistics about your search results, see Procedure 16.2, Displaying statistics on search results.

Viewing the details of a connection: 

To display the summary of a connection, click , or use the shortcuts to view the corresponding connection details (for example, Events). The summary is displayed in the connection details pop-up window. For more information, see Section 16.1.1, Connection details.

To download the audit trail of a session, click the icon in the Audit-trail column.