17 Replies Latest reply on Feb 20, 2012 1:02 PM by nicole pauls

    Report all user activity in LEM by username

    kal0el

      G'Day,

       

      I know once I run "TriGeo Reports", and the report is generated, I can use "Selection Expert" to pull out data on a specific username, but which report do I run in the first place in order to get everything LEM has for a given user?

      My manager wants all activity by a user ASAP.

      Thanx

      Stephen

        • Re: Report all user activity in LEM by username
          DanielleH

          Hi Stephen--

          Hopefully I am understanding your request correctly - are you asking for some kind of audit trail? 

          Thanks,
          DH

          • Re: Report all user activity in LEM by username
            phil3

            Hi, Stephen.

            Your best bet is to run an nDepth query for the user in the Console, and then export the results in either PDF or CSV format. See the following KB for more information:

            Export nDepth results in custom or text formats for retention and ad hoc reporting

            LEM/TriGeo Reports is set up to present reports by event type, not user; so if you wanted to do this solely by using Reports, you'd have to run and filter several reports to get what you need.

            Let me know if the nDepth option won't work for you.

            Thanks.

              • Re: Report all user activity in LEM by username
                kal0el

                Thanx, Phil, but I'm new at this. I've tried accessing "Auditable Events (All)", "UserLogon.SourceLogonID" & "UserLogon.DestinationLogonID", using wildcards around the username, and nothing comes up.

                Any ideas?

                  • Re: Report all user activity in LEM by username
                    phil3

                    What's your specific goal? If it's just to see everything related to a specific user, try this:

                    1. Open the LEM/SIM Console, and then log in as an administrator.
                    2. Click the Explore, and then select nDepth. This should show you all of your alerts for the past 10 minutes.
                    3. In the Refine Fields list on the left, find the user you're interested under User Name. If the user is not there, expand your search time frame.
                    4. Drag the username into the search bar.
                    5. Click Search (blue "play" button).
                    6. Expand the time frame of the search as necessary.
                    7. Follow the steps in the KB linked above to export the results.

                    Let me know if this doesn't meet your needs or if you have any questions.

                    Thanks.

                      • Re: Report all user activity in LEM by username
                        kal0el

                        We're making progress - thanx. However, it lists me out 100 usernames, and the one I'm looking for isn't there. Dragging a different username & trying to modify it doesn't work. How do I get it to list all the usernames, or just the one I want? BTW, I don't have the exact username, just part of it - I was going to use wildcards for the search.

                         

                        Update - actually when I dragged one up, it did so in a way for which I could not update the username in the condition. I just dragged a different username up, & it looks like any other condition now (i.e., I can edit it). I must have done something different. Please stand by ...

                          • Re: Report all user activity in LEM by username
                            kal0el

                            Hm - I have <blue_filter_icon> User Name = <pencil_icon> *kenneer*, but when I get the blue arrow back I still have 100 usernames. ??????

                              • Re: Report all user activity in LEM by username
                                phil3

                                That's odd. Two things to try:

                                1. Check Result Details (second icon from the right on the bottom toolbar), and see what's highlighted in those alerts. Only the values you searched for should be highlighted.
                                2. Modify the search so you're not using a leading wildcard character in the search value (pencil icon). nDepth doesn't do well with leading wildcard characters -- that's why the field (should have) turned yellow when you entered one.

                                • Re: Report all user activity in LEM by username
                                  kal0el

                                  OK - this is getting weird, or should I say stupid. I used kenneer without wildcards, and, no surprise, it said no matches. The weird thing is the username count is still 100.

                                    • Re: Report all user activity in LEM by username
                                      kal0el

                                      Phil,

                                      Well, there are over 333,000 pages of results, and the one I did check had no highlighted entries.

                                      Anything else I can try?

                                      Thanx

                                      Stephen

                                        • Re: Report all user activity in LEM by username
                                          phil3

                                          If you're not going to use wildcard characters, you have to put in the exact username. With that in mind, feel free to use trailing wildcard characters; just don't use leading wildcard characters.

                                          If you still can't get it to work, you might want to open a Support ticket.

                                            • Re: Report all user activity in LEM by username
                                              kal0el

                                              Thanx, Phil. I would, if our PO wasn't stuck in our purchasing department. I'll try the trailing wildcard. I doubt I'll reply to this thread any more. You've been a great help, but obviously LEM is not the right tool for user audit trails.

                                                • Re: Report all user activity in LEM by username
                                                  phil3

                                                  Have you been in touch with a Sales Engineer? They should be able to get on a GoTo Meeting with you to see what's happening. This functionality normally works perfectly, so if you're seeing something out of the ordinary, we definitely want to see it too so we can report the bug.

                                                  Thanks.

                                                    • Re: Report all user activity in LEM by username
                                                      kal0el

                                                      As I said, SolarWinds will not provide support until they get our PO. I'm basically dead in the water.

                                                        • Re: Report all user activity in LEM by username
                                                          MTorok

                                                          Stephen,

                                                          That is not actually the case. I've reached out to our sales engineering department. They will help you without your having purchased the product.

                                                          Please look for an email from them.

                                                          I apologize for not jumping on here sooner.

                                                          Please let me know if you do not hear from them.

                                                          Michael

                                                          • Re: Report all user activity in LEM by username
                                                            nicole pauls

                                                            Using the "User Name" field basically uses any field a user name could appear in, generically - whether that's Source Account, Destination Account, Logon ID, and various others. So, performing a "User Name" = "*beep*" account may match quite a few types of events and quite a few different fields, but that username should still be included.

                                                            You could try starting with just a text search for that username, which would find that string matched anywhere in your data. Use the "Text" type (or the box with the checkmark next to it that comes up by default) and type in your search item (username) there, like this:

                                                            Using a search for User Name = npauls also did work for me, but it sounds like you're having mixed results.

                                                            If you wanted to refine to only a certain alert type, you could do something like UserLogon.DestinationAccount = npauls, which will show when I've logged on. That might give some examples of what the data looks like.

                                                            Another approach would be to build a real-time filter in Monitor that gets close to what you want, then use "Send to nDepth" to search that over time.

                                                          • Re: Report all user activity in LEM by username
                                                            phil3

                                                            Alternately, if it's OK with you, please post a screenshot of the Search Builder (far right icon) and the search bar, along with the complete username you're searching for, and I'll see if I can come up with any other suggestions.

                                                            Thanks again.