4 Replies Latest reply on Feb 18, 2014 8:07 PM by nicole pauls

    Search pattern for file audits on specific server not carried out by one of four accounts

    bkeeley

      Hi,

       

      As per the subject, I'm trying to create a ndepth search (which I will later turn into an alert).  Which searches a specific server server for file audits which do not involve one of four accounts.

       

      I've tried under 'ALL'

       

      fileaudit.insertionip = server

      fileaudit.sourceaccount does not equal user1

      fileaudit.sourceaccount does not equal user2

      fileaudit.sourceaccount does not equal user3

      fileaudit.sourceaccount does not equal user4

       

      which hasn't worked.

       

      I've then tried under 'ALL'

       

      fileaudit.insertionip = server

       

      Subgroup under 'OR'

      fileaudit.sourceaccount does not equal user1

      fileaudit.sourceaccount does not equal user2

      fileaudit.sourceaccount does not equal user3

      fileaudit.sourceaccount does not equal user4

       

      This didn't work either - this doesn't seem much to ask of LEM.  Any pointers please?