3.0 Searching Events

Sentinel provides an option to perform a search on events. With the necessary configuration, you can also search system events generated by Sentinel and view the raw data for each event. By default, events are returned in a reverse chronological order.

By default, the search results include all events generated by the Sentinel system operations. These events are tagged with the Sentinel tag. If no query is specified and you click Search for the first time after the Sentinel installation, the default search returns all events with severity 0 to 5. Otherwise, the Search feature reuses the last specified search query.

To search for a value in a specific field, use the ID of the event name, a colon, and the value. For example, to search for an authentication attempt to Sentinel by user2, use the following text in the search field:

evt:LoginUser AND sun:user2

An advanced search can narrow the search for a value to a specific event field. The advanced search criteria are based on the event IDs for each event field and the search logic for the index. Advanced searches can include the product name, severity, source IP, and the event type. For example:

  • pn:NMAS AND sev:5

    This searches for events with the product name NMAS and severity five.

  • sip: AND evt:"Set Password"

    This searches for the initiator IP address and a “Set Password” event.

Multiple advanced search criteria can be combined by using various operators. The advanced search criteria syntax is modeled on the search criteria for the Apache Lucene open source package. For more information on building search criteria, see Section A.0, Search Query Syntax.

NOTE:If time is not synchronized across your server, client, and event sources, you might get unexpected results from your search. This is especially a problem if searches are performed on time durations such as Custom, Last 1 hour, and Last 24 hours where display results are based on the time zone of the machine on which the search is performed.