View the Online Audit Data

The ActivID Management Console reporting feature can be used to analyze server activity based on audit data.

Note:
  • Online reporting relies on the internal ActivID Appliance audit database (FTRESSAUDITLOG) and it is recommended that you store one month’s history of audit data. This retention period should be adjusted according to the number of events that are generated on a daily basis. For further information, see Define the Online Audit Window.
  • In a production environment, the audit log typically is archived on a regular basis. Therefore, the online data view might display only recent audit log records that have not yet been archived.

Search the Audit Log

Prerequisites:  
  • To view and search audit logs, you must have the following permissions:
    • Read audit log.
    • Read reference data.
  • In order to view audit logs from an external source, you must have the permission privileges to create an external audit.

Use the Audit Report Search page to launch a query against the audit log. The query must be filtered by a date/time range. In addition, you can specify any combination of additional search criteria.

  1. Log on to the ActivID Management Console as an administrator, and select the Reporting tab.

  2. Define the search Period by days, hours or a specific time range.

  3. Select the Audit Log Source.

  4. Select the Channel.

  5. Optionally, enter the following filters:

    • Direct User Code of the operator or system executing the function.
    • Indirect User Code of the user on whom the function was executed.
    • Device Serial Number to retrieve audit records only for the device.
  6. Note: Leave these fields blank if you do not want to use the filters. You can use a wild card character (*).
  7. Select the Action.

  8. Select the Authentication Policy from the drop-down list. This list is populated with all authentication policies specified in the system.

  9. Optionally, specify the Action Response:

    • If you are searching for administration activities, then select Any (the default).
    • If you are searching for authentication requests, select either Success or Failure.
  10. Enter the Correlation ID to specify for the correlation identifier of the process that is audited from the remote system.

  11. Note: Leave this field blank if you do not want to use this filter.
  12. To verify the signature and sequencing of audit records returned by the search, select Verify Audit Log.

  13. Click Search.

  14. The Audit Log search results page appears with the specified section of the audit log displayed.

    You can browse through the returned list of records. If your search returns more than the maximum number of records, ActivID Appliance lists only the first records found up to the maximum.

    Note: The SEARCH_LIMIT_AUDIT property defines the maximum number of records that ActivID Appliance can return as a result of a single search for records in the ActivID Management Console. The default maximum is 100 records .
  15. To view a result, click on the value in the Timestamp column.

  16. To mark the result as verified, click Verify at the bottom of the page, and then click Back to List.

The result now has the status Safe.

Interpreting Audit Log Records

The audit log contains a record of each method invoked by a direct user, with the exception of “get” methods. Such methods simply retrieve data from the database and are not audited. An example of a “get” method is a search. The only “get” method that is audited is getChallenge.

Each entry in the audit log is time stamped, digitally signed, and sequenced. This makes the log tamper-evident since it is impossible to retrospectively modify entries, add entries to the log, or delete entries from the log. Therefore, the log provides an indisputable record of all user functions registered through ActivID Appliance. You can select and view the audit log for a particular period of time, and for any and all channels.