Symantec Enterprise Vault FSA audit with Auditviewer.exe
Hi
I was looking for some assistance regarding auditing FSA events such as "search", and "view" for file system archiving. We are using Enterprise Vault v8 with SP2. The database and auditing has successfully configured. I am viewing the data using the Symantec Auditviewer.exe utility. Can anyone confirm what all the non obvious audit titles mean. ie achive, object id. I have enclosed a screenshot with details.
From the information we can see what key words are being used for searches and by who, however it doesnt seems easy to identify files viewed and in what directory.
Can anyone give any other recommendation ( preferably with documentation) on any other methods to access this information. I know the data is stored in SQL however short of doing basic queries, its not much more helpfull.
Any help would really be appreciated.
Thanks
Nick Thompson
Comments
So far, bad news only ;p the
So far, bad news only ;p the only way to do it is like you suggested. SQL is your friend...... once you have written the SQL queries don't forget to post em here.
www.quadrotech-it.com - All your EV Tools
Hi Wayne Thanks for the quick
Hi Wayne
Thanks for the quick response. That's not to great to hear. I guess I will be looking at a SQL course then. Its a bit poor that Symantec don't provide any easy means.
Anyone out there got any generic SQL scripts for pulling out SQL audting details for file system archiving?
Regards
Nick
Nick, Tell me what you want
Nick,
Tell me what you want exactly and maybe pm me a sample of your audit log, and if i have some time ill knock you up something.
--wayne
www.quadrotech-it.com - All your EV Tools
Hi WayneThats very good of
Hi Wayne
Thats very good of you, any help if you can spare would be appreciated. I have enclosed a screenshot of of Auditviewer utility and a sample of the SQL table.
The audit viewer displays audit log informatin from the database, and although most of the field heading are obvious, I am not sure how to interpret "Object ID" or "Archive". I assume they are stored somewhere in SQL.
Although we can see what user id has search, when and what directory, it doesn't easily identify the document name directely. The audit database in SQL contains this information, however it is even less readable. ie userID=1 refers to a specific A.D account. This make it difficult to export in a meaningful format for managers.
I have enclosed an excel file with a sample export from SQL.
Essentially we are looking to perform adhoc queries to identify the follow.
Who has searched for a document and when, including the docuMent path and name.
Who has opened a document and when, including the docuMent path and name.
Who has searched for a document and when, including the docuMent path and name.
Hopefully this makes sense.
Regards
Nick Thompson
I cant seem to find an option to attach a file with the sample audit log in excel format.
Would you like to reply?
Login or Register to post your comment.