By default, the search results include all events generated by the Sentinel system operations. These events are tagged with the Sentinel tag. If no query is specified and you click for the first time after the Sentinel installation, the default search returns all events with severity 3 to 5. Otherwise, the Search feature reuses the last specified search query.
To search for a value in a specific field, use the ID of the event name, a colon, and the value. For example, to search for an authentication attempt to Sentinel by user2, use the following text in the search field:
evt:LoginUser AND sun:user2
An advanced search can narrow the search for a value to a specific event field. The advanced search criteria are based on the event IDs for each event field and the search logic for the index. Advanced searches can include the product name, severity, source IP, and the event type. For example:
pn:NMAS AND sev:5
This searches for events with the product name NMAS and severity five.
sip:10.0.0.01 AND evt:“Set Password”
This searches for the initiator IP address 10.0.0.1 and a “Set Password” event.
Multiple advanced search criteria can be combined by using various operators. The advanced search criteria syntax is modeled on the search criteria for the Apache Lucene open source package. For more information on building search criteria, see Section A.0, Search Query Syntax.
To perform a search:
Log in to the Sentinel Web interface:
https://<IP_Address/DNS_Sentinel_server:8443>
IP_Address/DNS_Sentinel_server is the IP address or the DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
In the panel, click .
You can perform a search by using any of the following:
Search criteria: Specify the search criteria in the field.
For information on creating search criteria, see Section A.0, Search Query Syntax.
Add Criteria: Click and select from the criteria listed, click , and then click . You can select criteria from the list of criteria or filter the criteria based on recent criteria, tags, or filters.
Show recent criteria: Select a search criterion from the recent search history. The search history displays a maximum of 15 search expressions. Select the criteria, click , and then click .
Show Tags: You can search events that have a particular tag. Click , that lists the tags in the system. Select the tags, and then click .
Show Filters: You can reuse existing filters to perform a new search. Click that lists the existing filters. Select the filter on which you want to perform the search, and then click .
You can combine multiple criteria, tags, or filters by using the or condition.
(Optional) Select a time period for the search.
The default is .
allows you to select a start date and time and an end date and time for the query. The start date should be earlier than the end date, and the time is based on the machine’s local time.
searches all available data, without any time constraints.
(Optional) If you have administrator privileges, you can select other Sentinel servers for the search.
If you have distributed search configured, you can perform a search on other Sentinel servers. For more information, see Searching and Reporting Events in a Distributed Environment
in the NetIQ Sentinel 7.1 Administration Guide.
Click .
The search results are displayed. For information on the search results, see Section 2.2, Viewing Search Results.
(Optional) Modify the search criteria by clicking Edit Criteria.
(Optional) Modify the search results by selecting the desired event fields in the search results
To add an AND or Or condition to the existing criteria, left-click the event field, select the required fields, and then specify the desired condition.
Click .
(Conditional) To save the search query, see Section 2.4, Saving a Search Query.