Skip to main content
Skip table of contents

Query Auditing

LogRhythm offers additional auditing to track the type of data accessed by analysts during ad hoc and saved searches in both the Client and Web Consoles. When a user runs a query (tail, investigation, drill-down, report, etc.) an audit log is generated and logged to the LRQueryAuditLog table in the EMDB (Event Management Database). The below table provides information on the Audit Log ID, Event ID, Event Date, User ID, Object Type ID, and Criteria Info.


LogRhythm ToolActions Audited
Console

Logon

LogOff

Personal Dashboard

Add Host to Known Hosts

Search / Drill Down

Correlate

Contextualize

Investigator

Add Host to Known Hosts

Run

Search / Drill Down

Correlate

Contextualize

Tail

Run

Search

Report

Run

View

Search

Report PackageRun
Archive Restoration WizardRun Secondlook
Log Message ViewerView Log Information
Log Miner

Run Log Miner Investigation

Search

Correlate

Contextualize

Alarm Viewer

Modify Status of Alarm

Open Alarm Viewer

View Alarm

Web SearchRun

Ensure to follow the below steps while query auditing:

  • The audit data must be obtained by querying the database. Entries are made in LRQueryAudit table when the following scheduled reports are run using the Job Manager.
    • LogRhythm Auditing Activity Summary By User
    • LogRhythm Auditing Event Detail By User
    • LogRhythm Auditing Event Detail By Date
  • Installation or setup is not required. This feature is pre-installed in the Client Console.
  • The query data is stored in the EMDB. Each Elasticseach query can contain multiple parts and generate multiple lines of data. Customers should ensure that they have ample space available on the drive where the EMDB is stored as the table data can overflow quickly.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.