Requirements 10.2.2, 10.2.4, 10.2.5, 10.2.6, and 10.2.7 of the Payment Card Industry Data Security Standard (PCI DSS) require that specific events and user activities are logged to enable organizations to identify and trace potential malicious activities.
The following article provides instructions on utilizing recommended log search statements in the Alert Logic® console to quickly verify that your audit logs are capturing the events and user activities specified in the following PCI requirements:
Utilizing Log Search Statements
The following log search statements can be copied and pasted into the log search function in the Alert Logic console for easy searching of logs specific to each of the listed PCI requirements. Follow these steps:
- Copy the WHERE statement of your desired search statement from this article.
- Alert Logic Essentials, Professional, or Enterprise customers - In the Alert Logic console, open the navigation menu (
) > Investigate > Search > Log Search.
Alert Logic Cloud Defender or Log Manager customers - In the Alert Logic console, navigate to Search > Log Search or Log Search BETA). - Paste into the WHERE line.
- Come back to the article and copy the SELECT statement of that same desired search statement.
- Navigate back to the same Log Search web page.
- Paste into the SELECT line.
- To the left of the Search button, select the date range that you'd like to see log messages for.
- Click Search to retrieve a list of log messages applicable to your desired PCI requirement and environment.
Note: The Select statement within each log search statement below is also the default Select statement on the Alert Logic console's log search page. You can copy and paste the statement, or you can bring back the default statement by clicking on the refresh icon () to the right of SELECT.
PCI Requirement 10.2.2
PCI requirement 10.2.2 requires an organization to verify that all actions taken by an individual with root or administrative privileges are logged. You can utilize the follow log search statements to demonstrate that the audit logs you send to Alert Logicare configured to log actions taken by root and administrator users.
Utilize the log search statement that corresponds to your environment:
Windows
Location | Log Search Statement |
WHERE | |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
UNIX
Location | Log Search Statement |
WHERE |
[Message Type] IN ("Unix SU Successful Switch User", "Unix SUDO Successful Command", "Unix SUDO Authentication Failed", "Unix Mailbox User Created", "Unix User Account Created", "Unix Group Member Removed", "Ossec Unix User Account Deleted", "Unix FTP File Deleted", "Unix Mailbox User Deleted", "Unix User Account Deleted", "Ossec Unix User Account Created", "Ossec Unix User Group Added", "Unix Group Member Added", "Unix User Group Added", "Unix Group Modified", "Unix Group Removed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Amazon Web Services
Location | Log Search Statement |
WHERE |
[Message Type] IN ("AWS IAM Create User", "AWS IAM Delete User", "AWS EC2 Create Placement Group", "AWS EC2 Create Security Group", "AWS IAM Create Group", "AWS RDS Create Option Group", "AWS IAM Add User To Group", "AWS IAM Attach Group Policy", "AWS IAM Delete Group Policy", "AWS IAM Detach Group Policy", "AWS IAM Put Group Policy", "AWS IAM Remove User From Group", "AWS IAM Update Group", "AWS EC2 Delete Placement Group", "AWS EC2 Delete Security Group", "AWS IAM Delete Group") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
PCI Requirement 10.2.4
PCI requirement 10.2.4 requires an organization to verify that invalid logical access attempts are logged. You can utilize the following log search statements to demonstrate that the audit logs you send to Alert Logic are configured to log invalid access attempts.
Utilize the log search statement that corresponds to your environment:
Windows
Location | Log Search Statement |
WHERE |
[Message Type] IN ("Ossec Windows Login Failed", "Windows Login Failed"," IIS 5 FTP Login Failed", " IIS 7 FTP Login Failed", "IIS FTP Login Failed", " Windows SSH Login Failed", " WS_FTP Login Failed","Office365 Sign In Failure", "Windows Web Authentication Failed", "Windows VPN Login Failed", "Windows Web Authentication Failed", "Windows VPN Login Failed", "Windows Terminal Service Login Failed", "Windows SharePoint Login Failed", "Windows SSH Login Failed", "Windows Operation Manager Authentication Failed", "Windows OCS Login Failed", "Windows Login Failed", "Windows DCOM User Login Failed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Network
Location | Log Search Statement |
WHERE | [Message Type] IN ("Checkpoint User Failed Login", "Checkpoint VPN User Login Failed", "Cisco ACS Login Failed", "Cisco ACS VPN Login Failed", "Cisco ASA AAA Authentication Failed", "Cisco ASA Admin Login Failed", "Cisco ASA Console Enable Password Incorrect", "Cisco ASA Login Denied", "Cisco ASA Xauth Login Failed", "Cisco IOS AAA Authentication Failed", "Cisco IOS Admin Login Failed", "Cisco IOS Security Authentication Login Failed", "Cisco IOS SSH Login Failed", "Cisco IOS User Login Failed", "Cisco PIX Login Denied", "Cisco SNMP Authentication Failed", "Cisco User Already Logged In", "Cisco User Failed Login", "Cisco User Logout(Unable to Ping)", "Cisco VPN Administrator Login Failed", "Cisco VPN User Login Failed", "Cisco Wireless Controller Authentication Failed", "Fortinet Administrator Event Failure", "Fortinet Administrator Login Failed", "Fortinet Authentication Event Failed", "Fortinet Login Failed", "Fortinet User Login Disabled Temporarily (Too Many Failures)", "HP ProCurve User Login Failed", "Juniper Login Failed from IP", "Juniper Login Failed Using Auth Server", "Juniper VPN Connection not Authenticated", "Netscreen Admin Login Failed", "Netscreen Multiple Authentication Failures", "Netscreen Multiple Local Login Failures", "Netscreen Multiple Remote Login Failures", "Netscreen XAuth Login Terminated", "RSA ACE Administrator Login Failed", "RSA ACE Login Failed", "RSA ACE Next Tokencode Mode On", "SonicOS Administrator Login Failed", "SonicOS VPN User Login Failed", "Watchguard ADM User Login Failed", "Watchguard Login Failed", "Watchguard VPN User Login Failed", "Web Security Manager User Login Failed", "Palo Alto User Authentication Failed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
UNIX
Location | Log Search Statement |
WHERE | [Message Type] IN ("Unix FTP Login Failed", "Unix Local Login Failed","Ossec SSH Login Failed", "Ossec Unix SSH Login Failed", "Solaris SSH Remote Login Method Refused", "Unix Remote Login Failed", "Unix SSH Authentication From Invalid Host", "Unix SSH Invalid User", "Unix SSH Login Failed", "Unix SSH Root Login Refused") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Amazon Web Services
Location | Log Search Statement |
WHERE | [Message Type] IN ("AWS IAM Console Login Failure") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
PCI Requirement 10.2.5
PCI requirement 10.2.5 requires an organization to verify that use of and changes to identification mechanisms - including but not limited to creation of new accounts and elevation of privileges - and all changes, additions, or deletions to accounts with root or administrative privileges are logged. You can utilize the following log search statements to demonstrate that the audit logs you send to Alert Logic are configured to log these account changes.
Utilize the log search statement that corresponds to your environment:
Windows
Location | Log Search Statement |
WHERE | [Message Type] IN ("Ossec Windows User Account Created", "Windows User Account Created", "Windows User Account Changed", "Ossec Windows User Account Changed", "Ossec Windows User Account Deleted", "Windows User Account Deleted", "Ossec Windows Group Added", "Ossec Windows Group Created (Security Disabled)", "Windows Group Added", "Windows Group Created (Security Disabled)", "Windows LDAP Query Group Created", "Office365 Group Added", "Office365 Group Updated", "Office365 User Added to Group", "Ossec Windows Group Modified", "Windows Group Member Added (Security Disabled)", "Windows Group Member Added (Security Enabled)", "Windows Group Member Removed (Security Disabled)", "Windows Group Member Removed (Security Enabled)", "Windows Group Modified", "Windows Group Modified (Security Disabled)", "Windows LDAP Query Group Changed", "Windows Group Removed", "Windows Group Removed (Security Disabled)", "Office365 Group Removed") AND [User Name] != "-" AND [SAM User] != "-" AND [Member Name] != "-" |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
UNIX
Location | Log Search Statement |
WHERE | [[Message Type] IN ("Unix SU Successful Switch User", "Unix SUDO Successful Command", "Unix SUDO Authentication Failed", "Unix Mailbox User Created", "Unix User Account Created", "Unix Group Member Removed", "Ossec Unix User Account Deleted", "Unix FTP File Deleted", "Unix Mailbox User Deleted", "Unix User Account Deleted", "Ossec Unix User Account Created", "Ossec Unix User Group Added", "Unix Group Member Added", "Unix User Group Added", "Unix Group Modified", "Unix Group Removed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Amazon Web Services
Location | Log Search Statement |
WHERE | [parsed.json.eventSource] = "iam.amazonaws.com" AND NOT [parsed.json.eventName] CONTAINS_ANY ("Get", "List", "Generate") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
PCI Requirement 10.2.6
PCI requirement 10.2.6 requires an organization to verify that initialization, stopping, or pausing of audit logs is logged. You can utilize the following log search statements to demonstrate that the audit logs you send to Alert Logic are configured to log these account changes.
Utilize the log search statement that corresponds to your environment:
Windows
Location | Log Search Statement |
WHERE | [Message Type] IN ("Windows File Corrupted", "Windows Unable To Open Event Log", "Windows Event Log Corrupted", "Windows Audit Log Cleared") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
UNIX
Location | Log Search Statement |
WHERE | [Message Type] IN ("Samhain File Monitoring Failed","Unix File Monitoring Failed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Amazon Web Services
Location | Log Search Statement |
WHERE | [parsed.json.eventName] = "StopLogging" AND [parsed.json.eventName] = "cloudtrail.amazonaws.com" |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
PCI Requirement 10.2.7
PCI requirment 10.2.7 requires an organization to verify that creation and deletion of system level objects are logged. You can utilize the following log search statements to demonstrate that the audit logs you send to Alert Logic are configured to log creation and deletion of system level objects.
Utilize the log search statement that corresponds to your environment:
Windows
Location | Log Search Statement |
WHERE |
[Message Type] IN ( "Active Directory Abnormal File Operation", "Active Directory Attribute Column Added", "Active Directory Attribute Column Create", "Active Directory Attribute Column Deleted", "Active Directory Audit Policy SACL Changed", "Active Directory Client Issued Search", "Active Directory DNS Key Master Role Changed", "Active Directory DNS Record Not Deleted", "Active Directory DNS Unavailable", "Active Directory DNS Update Request", "Active Directory DNS Update Successful", "Active Directory DNS Zone Created", "Active Directory DNS Zone Delegation Added", "Active Directory DNS Zone Loaded", "Active Directory DNS Zone Reloaded", "Active Directory DNS Zone Transfer In Progress", "Active Directory DNS Zone Transferred", "Active Directory DNS Zone Updated", "Active Directory DRA Attribute Added (Sync Will be Performed)", "Active Directory DRA Dispatcher Timeout", "Active Directory DRA Invalid Certificate", "Active Directory DRA Invalid Certificate (Not Trusted)", "Active Directory DRA Invalid Certificate (Unknown Domain Controller)", "Active Directory DRA Object Config Changed (Some Attributes Reversed)", "Active Directory DRA Operation Performed", "Active Directory DSA Cannot Find MasterDSA Attribute", "Active Directory DSA Not Advertised by Domain Controller", "Active Directory Database Backup Completed", "Active Directory Database Backup Started", "Active Directory Database Backup Warning", "Active Directory Database Index Cleanup Completed", "Active Directory Database Recovery Completed", "Active Directory Database Recovery Initiated", "Active Directory Database Space Alert", "Active Directory Database Updated Successfully", "Active Directory Disk Drive Name Change", "Active Directory Domain Controller Information", "Active Directory Domain Removed from Enterprise", "Active Directory Domain Service Shutdown", "Active Directory Domain Trust Created", "Active Directory Domain Trust Deleted", "Active Directory Domain Trust Modified", "Active Directory Duplicate SPN Detected", "Active Directory Exited with Active Threads", "Active Directory FSMO Moved", "Active Directory Federation Services Account Locked Out", "Active Directory Federation Services Extranet Lockout", "Active Directory Folder Replication Stopped", "Active Directory Function Level Raised", "Active Directory Global Catalog Connected", "Active Directory Global Catalog Demotion", "Active Directory Global Catalog Information", "Active Directory Global Catalog Promotion", "Active Directory Integration Disabled", "Active Directory Internal Event", "Active Directory Invalid Mandatory Attribute", "Active Directory Invalid Optional Attribute", "Active Directory Invalid Request For DNS Zone Transfer", "Active Directory Invalid Site", "Active Directory LDAP Connection Closed", "Active Directory LDAP Disconnect from Client (Server Shutting Down)", "Active Directory LDAP Session Opened", "Active Directory Object Created", "Active Directory Object Security Attributes Modified", "Active Directory PDC Notification", "Active Directory Partition No Longer Replicated", "Active Directory Partition Removed", "Active Directory Privileged Operation Performed", "Active Directory Recycle Bin Disabled", "Active Directory Recycle Bin Enabled", "Active Directory Replication Connection Created", "Active Directory Replication Connection Deleted", "Active Directory Replication Established", "Active Directory Replication Inbound Disabled", "Active Directory Replication Inbound Re-Enabled", "Active Directory Replication Link Added", "Active Directory Replication Modified", "Active Directory Replication Outbound Disabled", "Active Directory Replication Outbound Re-Enabled", "Active Directory Replication Service Added", "Active Directory Replication Service Enabled", "Active Directory Replication Started", "Active Directory Replication Stopped", "Active Directory Replication Synchronization Ended", "Active Directory Replication Synchronization Started", "Active Directory SIDs Filtered", "Active Directory Schema Index Created", "Active Directory Schema Index Required", "Active Directory Schema Object Access", "Active Directory Schema Object Modified", "Active Directory Server No Longer Domain Controller", "Active Directory Server Not Available", "Active Directory Service Object Created", "Active Directory Service Object Deleted", "Active Directory Service Object Modified", "Active Directory Service Object Moved", "Active Directory Started", "Active Directory Unsigned Client LDAP Connection", "Adaxes Active Directory Management Syslog", "IIS FTP Resource Deleted", "IIS File Not Modified", "IIS Object Moved", "IIS Object Moved Permanently", "IIS W3C Extended Log Client Request Succeeded", "IIS W3C Extended Log File Not Modified", "Ossec Windows Cannot Access File For GPO", "Ossec Windows File Corrupted", "Ossec Windows Successful Object Access", "Windows Attempt to install service", "Windows Cannot Access File For GPO", "Windows File Corrupted", "Windows File Modified", "Windows File Virtualized", "Windows GPG Processor File Decrypted", "Windows Hard Link Creation", "Windows Indirect Object Access Obtained", "Windows Indirect Object Access Requested", "Windows Network Share Object Added", "Windows Network Share Object Deleted", "Windows Network Share Object Modified", "Windows Object Deleted", "Windows Object Handle Closed", "Windows Object Permissions Changed", "Windows Operation Performed On Object", "Windows Privileged Object Operation", "Windows Shared Folder Access", "Windows Successful Object Access", "Windows Transaction State Changed", "Windows Virtual File Created", "Windows Virtual File Delete Requested", "Ossec Windows Object Access Failed", "Windows GPG Processor Failed To Decrypt File", "Windows Object Access Failed" ) |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Amazon Web Services
Location | Log Search Statement |
WHERE |
[Message Type] IN ("AWS EC2 Authorize Security Group Egress", "AWS EC2 Authorize Security Group Ingress", "AWS EC2 Revoke Security Group Egress", "AWS EC2 Revoke Security Group Ingress", "AWS RDS Authorize DB Security Group Ingress", "AWS RDS Reboot DB Instance", "AWS RDS Revoke DB Security Group Ingress", "AWS EC2 Create Security Group", "AWS RDS Create Option Group") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Networks
Location | Log Search Statement |
WHERE |
[Message Type] IN ("Checkpoint Anti-Spam Rule Added", "Checkpoint Anti-Spam Rule Deleted", "Checkpoint Anti-Spam Rule Modified", "Checkpoint NAT Rule Added", "Checkpoint NAT Rule Deleted", "Checkpoint Policy Installed", "Checkpoint Policy Modified", "Checkpoint Security Policy Added", "Checkpoint Security Policy Deleted", "Checkpoint Security Policy Modified", "Cisco Group Policy Deleted", "Cisco IKE Default Policy Accepted", "Cisco SA Deleted From Proxy", "Fortinet Policy Added", "Fortinet Policy Changed", "Fortinet Policy Deleted", "Netscreen AV Pattern File Updated", "Netscreen AV Profile Modified", "Netscreen Default Policy Changed", "Netscreen Management Restriction Modified", "Netscreen Policy Added", "Netscreen Policy Application Modified", "Netscreen Policy Attack Modified", "Netscreen Policy Attack Severity Modified", "Netscreen Policy Changed by Admin", "Netscreen Policy Deleted", "Netscreen Policy Modified", "Netscreen Security Alarm Setting Changed", "Netscreen Service Added To Policy", "Netscreen Web-Filter Policy Modified", "Samhain Client Policy Added", "Samhain Server Policy Added", "Samhain Server Policy Missing", "SonicOS Firewall Rule Modified", "Watchguard Policy Added", "Watchguard Policy Deleted", "Watchguard Policy Modified", "Watchguard Rule Added for Policy", "Web Security Manager GUI Access Policy Configured", "Windows IPsec Policy Loaded", "Windows IPsec Rule Applied", "AS400 Authorities for Object Changed", "Arista Enter Configuration Mode", "Arista Startup Config Saved", "BT9 Computer Management - Agent uninstalled", "BT9 Discovery - Banned file written to computer", "BT9 Discovery - Device attached", "BT9 Discovery - File group Created", "BT9 Discovery - Malicious file detected", "BT9 Discovery - New File On Network", "BT9 Discovery - New Unapproved File to Computer", "BT9 General Management - Alert triggered", "BT9 Policy Enforcement - File Approved", "Barracuda Authentication Activity", "Barracuda Contact Email Address Changed", "Barracuda Content Filter Configured", "Barracuda Firewall Activity", "Barracuda LDAP Configured", "Barracuda Mail Configuration", "Barracuda Mail Scan Setting Configured", "Barracuda Network Activity", "Barracuda Primary DNS Configured", "Barracuda RBL Configured", "Barracuda Relay Host Configured", "Barracuda SSL Certificate Configured", "Barracuda Scan Level Configured", "Barracuda Services Activity", "Barracuda VPN Activity", "Barracuda Virus Scan Configured", "CIFS VFS Message", "Carbon Black Protection Agent Deleted Events", "Carbon Black Protection Agent Health Check", "Carbon Black Protection Agent Restart", "Carbon Black Protection Agent Shutdown", "Carbon Black Protection Cache Check Complete", "Carbon Black Protection Certificate Checked", "Carbon Black Protection Computer Discovered New File", "Carbon Black Protection Console User Login", "Carbon Black Protection Database Error", "Carbon Black Protection Device Attached", "Carbon Black Protection File Approved Due to Custom Rule", "Carbon Black Protection File Discovered (Browser Download)", "Carbon Black Protection File Group Created", "Carbon Black Protection First Execution On Network", "Carbon Black Protection Installation Group Created for File", "Carbon Black Protection New Device Found", "Carbon Black Protection New File Discovered On Startup", "Carbon Black Protection Potential Risk Discovered", "Carbon Black Protection Server Discovered New File", "Carbon Black Protection Service Deleted", "Carbon Black Protection Session Changed", "Checkpoint Module Enabled", "Checkpoint Rule Priority Changed", "Checkpoint Security Level Changed", "Checkpoint User Added To Block List", "Checkpoint User Added To Safe List", "Checkpoint User Deleted From Block List", "Checkpoint User Deleted From Safe List", "Cisco ACE Configuration Replication Status", "Cisco ASA Configuration Operation Ended", "Cisco ASA Configuration Operation Started", "Cisco ASA Virtual Sensor Added", "Cisco ASA Virtual Sensor Deleted", "Cisco FWSM Configuration Operation Started", "Cisco IOS AppleTalk Zone Created", "Cisco IOS CDP Deleted Table Entry", "Cisco IOS DHCP Disabled", "Cisco IOS Device Configured", "Cisco IOS Enter Configuration Mode", "Cisco IOS Port Added To VLAN", "Cisco IOS Port Security Configured", "Cisco IOS Port Security Deactivated", "Cisco IOS Startup Config Saved", "Cisco IOS VLAN Added", "Cisco IOS VLAN Configuration Modified", "Cisco IOS VLAN Deleted", "Cisco IOS VLAN Mode Changed", "Cisco Meraki MX60 Firewall", "Cisco Nexus Port Added", "Cisco Nexus Port Deleted", "Cisco Nexus User Delete Failed", "Cisco PIX Configuration Operation Ended", "Cisco PIX Configuration Operation Started", "Cisco User Privilege Level Changed", "Cisco Users Group Policy Set", "Fortigate Critical System Event", "Fortigate DLP Archive Full", "Fortigate Disc Logfile Deleted", "Fortigate Disk Log Directory Deleted", "Fortigate IPsec Connection Status Changed", "Fortigate IPsec Phase2 Status Changed", "Fortigate IPsec SA Installed", "Fortigate Interface Status Changed", "Fortigate Progress IPsec Phase 1", "Fortigate SSL VPN exit error", "Fortigate Super Admin Left VDOM", "Fortigate System Log", "Fortigate Traffic Forwarded", "Fortinet Configuration Modified", "Fortinet Firmware Upgraded", "Fortinet Recurring Schedule Added", "Fortinet Recurring Schedule Removed", "Fortinet Virtual Domain Disabled", "Fortinet Virtual Domain Enabled", "HP ProCurve Date And Time Changed", "HP ProCurve IGMP Feature Disabled", "HP ProCurve IGMP Feature Enabled", "HP ProCurve LLDP Disabled", "HP ProCurve SSL Disabled", "HP ProCurve SSL Enabled", "HP ProCurve STP Disabled", "HP ProCurve STP Enabled", "HP ProCurve TFTP Enabled", "HP ProCurve VLAN Disabled", "HP ProCurve VLAN Enabled", "Huawei Command Recorded", "Huawei Peer Selected", "Infoblox BloxTools Modified", "Microsec e-Szigno Root Certificate Expiring", "Netscreen AV HTTP Trickling Setting Modified", "Netscreen Configuration Erased", "Netscreen Domain Name Changed", "Netscreen Group Added", "Netscreen Hostname Changed", "Netscreen IP Address Pool Modified", "Netscreen MTU Changed", "Netscreen NSM Disabled", "Netscreen NTP Server Disabled", "Netscreen Ping Disabled", "Netscreen Reporting Settings Modified", "Netscreen SIP Disabled", "Netscreen SIP Enabled", "Netscreen SSH Disabled", "Netscreen SSH Enabled", "Netscreen Security Option Disabled", "Netscreen Security Option Enabled", "Netscreen Service Added", "Netscreen Service Deleted", "Netscreen Syslog Setting Changed", "Netscreen System Configuration Saved", "Netscreen Web-Filter Category Created", "Netscreen Web-Filter Category Deleted", "Nortel Gateway Modified", "Panorama Firewall Configuration Failed", "Panorama Firewall Configuration Succeeded", "Samhain Unable To Resolve Client", "SonicOS Host Added", "SonicOS Host Removed", "SonicOS WAN IP Changed", "Sophos UTM Scan Settings Modified", "Sophos UTM Timezone Settings Modified", "Watchguard Configuration File Updated", "Watchguard Firmware Upgrade Completed", "Watchguard Group Added", "Watchguard IP Request", "Watchguard Module Updated") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
UNIX
Location | Log Search Statement |
WHERE |
[Message Type] IN ("Apache File Permission Access Denied", "AppDirector File Deleted", "Audience Failed Download", "Audience Failed Listen", "Audience Successful Download", "Audience Successful Listen", "CimTrak Encrypted Session", "CimTrak Lock Status", "CimTrak Management Console", "CimTrak Message", "CimTrak Remote Connection", "Clic File Created", "Clic File Deleted", "Clic File Location Changed", "Clic File Modified", "Cloudmark Failed To Open File", "Cloudmark Failed To Write File", "CommVault ArchFile Created", "FIS Unauthorized User Access For Task", "HP 3PAR Disk Added", "HP 3PAR Disk Removed", "HP 3PAR Virtual Volume Added", "HP 3PAR Virtual Volume Removed", "HP ProCurve Configuration File Deleted", "LoanHD Failed To Unzip File", "LoanHD File Copied", "LoanHD File Created", "LoanHD File Found", "LoanHD File Moved", "LoanHD File Unzipped", "MOVEit DMZ Failed To Delete File", "MOVEit DMZ File Attached", "MOVEit DMZ File Deleted", "MOVEit DMZ File Renamed", "MOVEit DMZ File Uploaded", "McAfee EPO Files Copied By Push Agent", "Monit Failed To Open File", "Ossec Rootcheck System Message", "Ossec Syscheck Added File", "Ossec Syscheck Agent Started", "Ossec Syscheck Checksum Changed", "Ossec Syscheck Deleted File", "Ossec Syscheck File Created", "Ossec Syscheck File Deleted", "Ossec Syscheck Re-Added File", "SAP BusinessObjects Failed To Open File", "Samhain Client File Modified", "Samhain Configuration File Not Found", "Samhain File Access Denied", "Samhain File Monitoring Completed", "Samhain File Monitoring Failed", "Samhain Server File Modified", "Secret Server Object Created", "StealthINTERCEPT Object Modified", "Symantec Anti-Virus New Virus Definition File Loaded", "Symantec Anti-Virus Previous Virus Definition File Loaded", "Syslog Failed To Write File", "Unix FTP Directory Removed", "Unix FTP Failed To Delete File", "Unix FTP File Deleted", "Unix FTP File Renamed", "Unix FTP Successful Created Directory", "Unix File Monitoring Failed", "Unix SVN Repository Access Failed", "Unix Samba Access Denied", "VMware ESX File Create", "VMware ESX File Delete", "VMware ESX File Renamed") |
SELECT |
SELECT [Time Received], [Message] ORDER BY [Time Received] DESC
|
Comments
0 comments
Please sign in to leave a comment.