2 Replies Latest reply on Jun 9, 2017 9:37 AM by Cindi Lund

    How to externally audit user access

    Cindi Lund

      Our organization requires us to centrally log application usage.  We can get the user logins from the tw_svc_security.log file but it does not contain the source IP address.  However, in the UI audit, the source IP is listed.  Is there a way to gather the audit data from the command line or API so that we can include source IP?

        • 1. Re: How to externally audit user access
          Bob Anderson

          Try this in the GUI:

           

          search in 'Audit'  UserEventAuditRecord where event_group = 'UI Access'  and not user has substring '[' order by when desc

          show

          user as "Local User",

          event as "Auditable Event",

          when as "When",

          full_name as "Full Name",

          extract(msg, regex '.*from IP\s+(.*)$', raw '\1' ) as "From"

           

          or

           

          from the command line:

           

          tw_query --csv --file='ui_access_query_results.csv' -u username "search in 'Audit' UserEventAuditRecord where event_group='UI Access' and not user has substring '[' order by when desc show user, event, when, full_name, extract(msg, regex '.*from IP\s+(.*)$', raw '\1')"

           

          HTH

          2 of 2 people found this helpful
          • 2. Re: How to externally audit user access
            Cindi Lund

            Perfect!  Thank you!