для Cisco Cisco Firepower Management Center 4000
56-9
FireSIGHT System User Guide
Chapter 56 Auditing the System
Managing Audit Records
For more information on searching, including how to load and delete saved searches, see
To search for audit records:
Access:
Admin
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
Audit Log Events
.
The Audit Log search page appears.
Tip
To search the database for a different kind of event, select it from the
Table
drop-down list.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields, as described in the
table.
If you enter multiple criteria, the search returns only the records that match all the criteria.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
Tip
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in the default audit log workflow, constrained by the current time range.
To use a different workflow, including a custom workflow, click
To use a different workflow, including a custom workflow, click
(switch workflow)
. For information
on specifying a different default workflow, see
.
Time
Specify the date and time the audit record was
generated. See
generated. See
for the syntax for entering
time.
> 2006-01-15 13:30:00
returns all audit
records generated after January 15, 2006 at 1:30
PM.
PM.
Source IP
Enter the IP address of the host that you want to
view audit records for.
view audit records for.
Note
You must type a specific IP address.
You cannot use IP ranges when
searching audit logs.
You cannot use IP ranges when
searching audit logs.
172.16.1.37
returns all audit records generated
by a user from the 172.16.1.37 IP address.
Configuration Change
Specify whether or not you want to view audit
records of configuration changes.
records of configuration changes.
yes
returns audit records of configuration
changes.
Table 56-5
Audit Record Search Criteria (continued)
Search Field
Description
Example