Searching Audit Logs
Syntax help displayed in UI for Audit Log tokens. A complete list of tokens for writing search queries is provided below. Click each token to learn more about it.
auditLogs.operationauditLogs.operation
Use a text value ##### to find audit logs for certain operation (, , ).
Example
Show audit logs for edit operation
auditLogs.operation:edit
auditLogs.performedauditLogs.performed
Use a date range or specific date to define when operations were performed.
Examples
Show operations performed within certain dates
auditLogs.performed: [2018-01-01 ... 2018-01-10]
Show operations performed starting 2017-06-01, ending 3 months ago
auditLogs.performed: [2017-06-01 ... now-3M]
Show operations performed starting 2 weeks ago, ending 1 second ago
auditLogs.performed: [now-2w ... now-1s]
Show operations performed on a specific date
auditLogs.performed:'2018-01-22'
auditLogs.performedByauditLogs.performedBy
Use values within quotes or backticks to help you find operations performed by a certain user.
Examples
Show any operations with this user name
auditLogs.performedBy: Administrator
Show any operations that contain components of user name
auditLogs.performedBy: "Administrator"
Show any operations that match exact value
auditLogs.performedBy: `Administrator`
auditLogs.portalUsedauditLogs.portalUsed
Use a text value ##### in quotes to find operations performed on a certain portal (Web Portal, Enrollment Portal).
Example
Show operations performed on the Web Portal
auditLogs.portalUsed:"Web Portal"
auditLogs.entityauditLogs.entity
Use a text value ##### in quotes to find operations performed on a certain entity.
Example
Show operations performed on users
auditLogs.entity:"User"
auditLogs.clientAddressauditLogs.clientAddress
Use a text value ##### to find operations with certain client IP address.
Example
Show operations performed on this client IP address
auditLogs.clientAddress:192.168.248.90
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Use a boolean query to express your query using AND logic..
Example
auditLogs.operation: edit and auditLogs.performedBy: "adminuser"
Find operations with this operation name and performed by this user.
Use a boolean query to express your query using NOT logic.
Example
not auditLogs.performedBy: "adminuser"
Show operations which are not performed by this user.
Use a boolean query to express your query using OR logic.
Example
auditLogs.operation: add or auditLogs.operation: edit
Show findings with one of these operations.