Hi Stephen--
Hopefully I am understanding your request correctly - are you asking for some kind of audit trail?
Thanks,
DH
Hi, Stephen.
Your best bet is to run an nDepth query for the user in the Console, and then export the results in either PDF or CSV format. See the following KB for more information:
Export nDepth results in custom or text formats for retention and ad hoc reporting
LEM/TriGeo Reports is set up to present reports by event type, not user; so if you wanted to do this solely by using Reports, you'd have to run and filter several reports to get what you need.
Let me know if the nDepth option won't work for you.
Thanks.
Thanx, Phil, but I'm new at this. I've tried accessing "Auditable Events (All)", "UserLogon.SourceLogonID" & "UserLogon.DestinationLogonID", using wildcards around the username, and nothing comes up.
Any ideas?
What's your specific goal? If it's just to see everything related to a specific user, try this:
Let me know if this doesn't meet your needs or if you have any questions.
Thanks.
We're making progress - thanx. However, it lists me out 100 usernames, and the one I'm looking for isn't there. Dragging a different username & trying to modify it doesn't work. How do I get it to list all the usernames, or just the one I want? BTW, I don't have the exact username, just part of it - I was going to use wildcards for the search.
Update - actually when I dragged one up, it did so in a way for which I could not update the username in the condition. I just dragged a different username up, & it looks like any other condition now (i.e., I can edit it). I must have done something different. Please stand by ...
Hm - I have <blue_filter_icon> User Name = <pencil_icon> *kenneer*, but when I get the blue arrow back I still have 100 usernames. ??????
That's odd. Two things to try:
OK - this is getting weird, or should I say stupid. I used kenneer without wildcards, and, no surprise, it said no matches. The weird thing is the username count is still 100.
Phil,
Well, there are over 333,000 pages of results, and the one I did check had no highlighted entries.
Anything else I can try?
Thanx
Stephen
If you're not going to use wildcard characters, you have to put in the exact username. With that in mind, feel free to use trailing wildcard characters; just don't use leading wildcard characters.
If you still can't get it to work, you might want to open a Support ticket.
Thanx, Phil. I would, if our PO wasn't stuck in our purchasing department. I'll try the trailing wildcard. I doubt I'll reply to this thread any more. You've been a great help, but obviously LEM is not the right tool for user audit trails.
Have you been in touch with a Sales Engineer? They should be able to get on a GoTo Meeting with you to see what's happening. This functionality normally works perfectly, so if you're seeing something out of the ordinary, we definitely want to see it too so we can report the bug.
Thanks.
As I said, SolarWinds will not provide support until they get our PO. I'm basically dead in the water.
Stephen,
That is not actually the case. I've reached out to our sales engineering department. They will help you without your having purchased the product.
Please look for an email from them.
I apologize for not jumping on here sooner.
Please let me know if you do not hear from them.
Michael
Using the "User Name" field basically uses any field a user name could appear in, generically - whether that's Source Account, Destination Account, Logon ID, and various others. So, performing a "User Name" = "*beep*" account may match quite a few types of events and quite a few different fields, but that username should still be included.
You could try starting with just a text search for that username, which would find that string matched anywhere in your data. Use the "Text" type (or the box with the checkmark next to it that comes up by default) and type in your search item (username) there, like this:
Using a search for User Name = npauls also did work for me, but it sounds like you're having mixed results.
If you wanted to refine to only a certain alert type, you could do something like UserLogon.DestinationAccount = npauls, which will show when I've logged on. That might give some examples of what the data looks like.
Another approach would be to build a real-time filter in Monitor that gets close to what you want, then use "Send to nDepth" to search that over time.
Alternately, if it's OK with you, please post a screenshot of the Search Builder (far right icon) and the search bar, along with the complete username you're searching for, and I'll see if I can come up with any other suggestions.
Thanks again.
