Searching Audit Logs

Syntax help displayed in UI for Audit Log tokens. A complete list of tokens for writing search queries is provided below. Click each token to learn more about it.

auditLogs.operationauditLogs.operation

Use a text value ##### to find audit logs for certain operation (, , ).

Example

Show audit logs for edit operation

auditLogs.operation:edit

auditLogs.performedauditLogs.performed

Use a date range or specific date to define when operations were performed.

Examples

Show operations performed within certain dates

auditLogs.performed: [2018-01-01 ... 2018-01-10]

Show operations performed starting 2017-06-01, ending 3 months ago

auditLogs.performed: [2017-06-01 ... now-3M]

Show operations performed starting 2 weeks ago, ending 1 second ago

auditLogs.performed: [now-2w ... now-1s]

Show operations performed on a specific date

auditLogs.performed:'2018-01-22'

auditLogs.performedByauditLogs.performedBy

Use values within quotes or backticks to help you find operations performed by a certain user.

Examples

Show any operations with this user name

auditLogs.performedBy: Administrator

Show any operations that contain components of user name

auditLogs.performedBy: "Administrator"

Show any operations that match exact value

auditLogs.performedBy: `Administrator`

auditLogs.portalUsedauditLogs.portalUsed

Use a text value ##### in quotes to find operations performed on a certain portal (Web Portal, Enrollment Portal).

Example

Show operations performed on the Web Portal

auditLogs.portalUsed:"Web Portal"

auditLogs.entityauditLogs.entity

Use a text value ##### in quotes to find operations performed on a certain entity.

Example

Show operations performed on users

auditLogs.entity:"User"

auditLogs.clientAddressauditLogs.clientAddress

Use a text value ##### to find operations with certain client IP address.

Example

Show operations performed on this client IP address

auditLogs.clientAddress:192.168.248.90

 

Supported Boolean Operators

The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.

andand

Use a boolean query to express your query using AND logic..

Example

auditLogs.operation: edit and auditLogs.performedBy: "adminuser"

Find operations with this operation name and performed by this user.

notnot

Use a boolean query to express your query using NOT logic.

Example

not auditLogs.performedBy: "adminuser"

Show operations which are not performed by this user.

oror

Use a boolean query to express your query using OR logic.

Example

auditLogs.operation: add or auditLogs.operation: edit

Show findings with one of these operations.