2.1 Running an Event Search

By default, the search results include all events generated by the Sentinel system operations. These events are tagged with the Sentinel tag. If no query is specified and you click Search for the first time after the Sentinel installation, the default search returns all events with severity 3 to 5. Otherwise, the Search feature reuses the last specified search query.

To search for a value in a specific field, use the ID of the event name, a colon, and the value. For example, to search for an authentication attempt to Sentinel by user2, use the following text in the search field:

evt:LoginUser AND sun:user2

An advanced search can narrow the search for a value to a specific event field. The advanced search criteria are based on the event IDs for each event field and the search logic for the index. Advanced searches can include the product name, severity, source IP, and the event type. For example:

Multiple advanced search criteria can be combined by using various operators. The advanced search criteria syntax is modeled on the search criteria for the Apache Lucene open source package. For more information on building search criteria, see Section A.0, Search Query Syntax.

To perform a search:

  1. Log in to the Sentinel Web interface:

    https://<IP_Address/DNS_Sentinel_server:8443>

    IP_Address/DNS_Sentinel_server is the IP address or the DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. Click New Search.

  3. You can perform a search by using any of the following:

    • Search criteria: Specify the search criteria in the Search field.

      For information on creating search criteria, see Section A.0, Search Query Syntax.

    • Search history: Select a search criterion from the search history. As you specify the search criteria in the Search field, the closely matched search expressions appear in the recently used search expression list. The search history displays a maximum of 15 search expressions.

    • Tags: You can search events that have a particular tag by using the Tag icon. Click , select the tags, then click OK.

    • Filters: You can reuse existing filters to perform a new search by using the Filter icon. Click , select the filter, then click Search.

  4. (Optional) Select a time period for the search.

    • The default is Last 1 hour.

    • Custom allows you to select a start date and time and an end date and time for the query. The start date should be earlier than the end date, and the time is based on the machine’s local time.

    • Whenever searches all available data, without any time constraints.

  5. (Optional) If you have administrator privileges, you can select other Sentinel servers for the search.

    If you have distributed search configured, you can perform a search on other Sentinel servers. For more information, see Searching and Reporting Events in a Distributed Environment in the NetIQ Sentinel 7.0.1 Administration Guide.

  6. Click Search.

    A spinning icon indicates that the search process is being performed.

    The search results are displayed. For information on the search results, see Section 2.2, Viewing Search Results.

  7. (Optional) Modify the search criteria by selecting the desired event fields in the search results.

    • To add an AND condition to the existing criteria, left-click the event field.

    • To add a NOT condition, Alt+left-click the event field.

  8. Click Search.

  9. (Conditional) To save the search query, see Section 2.4, Saving a Search Query.