cancel
Showing results for 
Search instead for 
Did you mean: 

Symantec Enterprise Vault FSA audit with Auditviewer.exe

Hi

I was looking for some assistance regarding auditing FSA events such as "search", and "view" for file system archiving. We are using Enterprise Vault v8 with SP2. The database and auditing has successfully configured. I am viewing the data using the Symantec Auditviewer.exe utility. Can anyone confirm what all the non obvious audit titles mean. ie achive, object id.   I have enclosed a screenshot with details.

From the information we can see what key words are being used for searches and by who, however it doesnt seems easy to identify files viewed and in what directory.

Can anyone give any other recommendation ( preferably with documentation) on any other methods to access this information. I know the data is stored in SQL however short of doing basic queries, its not much more helpfull.

Any help would really be appreciated.

Thanks

Nick Thompson
1 Solution

Accepted Solutions
Accepted Solution!

Nick, Tell me what you want

Nick,

Tell me what you want exactly and maybe pm me a sample of your audit log, and if i have some time ill knock you up something.

--wayne

View solution in original post

4 Replies

So far, bad news only ;p the

So far, bad news only ;p the only way to do it is like you suggested. SQL is your friend...... once you have written the SQL queries don't forget to post em here.

Hi Wayne Thanks for the quick

Hi Wayne

Thanks for the quick response. That's not to great to hear. I guess I will be looking at a SQL course then. Its a bit poor that Symantec don't provide any easy means.


Anyone out there got any generic SQL scripts for pulling out SQL audting details for file system archiving?

Regards

Nick

Accepted Solution!

Nick, Tell me what you want

Nick,

Tell me what you want exactly and maybe pm me a sample of your audit log, and if i have some time ill knock you up something.

--wayne

View solution in original post

Hi WayneThats very good of

Hi Wayne

Thats very good of you, any help if you can spare would be appreciated. I have enclosed a screenshot of of Auditviewer utility and a sample of the SQL table.

The audit viewer displays audit log informatin from the database, and although most of the field heading are obvious, I am not sure how to interpret "Object ID" or "Archive". I assume they are stored somewhere in SQL.

Although we can see what user id has search, when and what directory, it doesn't easily identify the document name directely.  The audit database in SQL contains this information, however it is even less readable. ie userID=1 refers to a specific A.D account. This make it difficult to export in a meaningful format for managers.

I have enclosed an excel file with a sample export from SQL.

Essentially we are looking to perform adhoc queries to identify the follow.

Who has searched for a document and when, including the docuMent path and name.
Who has opened a document and when, including the docuMent path and name.
Who has searched for a document and when, including the docuMent path and name.

Hopefully this makes sense.

Regards

Nick ThompsonAuditViewer2.JPG

I cant seem to find an option to attach a file with the sample audit log in excel format.