A good Audit log needs to be searchable. Proper indexing on actors, actions, and targets is essential to being able to isolate and drill down into the history of application objects and events.
Generally, actors, event names, IPs are all linked to filter down to related activity. The viewer should allow the account admin to specify a date range to filter in conjunction with other filters and searches.
In order to effectively search over the data it is helpful to implement search operators that allow the end user to specify which fields they’d like to match. The Replicated Audit Log Service implements this in the Embedded Viewers.
Structured (Advanced) Search
If you use the advanced search syntax, you can perform very specific and exact searches to find the data you are looking for. The syntax for this is
key:value. For example, to search for all events that have an action that starts with
user. you could enter the following query:
This table shows the supported advanced searches:
|action||Matches events with the action equal to the value. This supports trailing wildcards.||
|crud||Matches events with crud type equal to any of the values.||
|received||Matches events with the received field in the range. This accepts two comma-separated ISO 8601 datetimes. Either start or end may be omitted to search an unbounded time range.||
|created||Matches events with the created field in the range.||created:2017-05-01,2017-05-02|
|actor.name||Matches events performed by an actor whose name contains the value.||actor:Smith|
|actor.id||Matches events performed by the actor with the exact id value.||actor:b82c4cfa428342ac822c42c1f6b89200|
|description||Matches events with a description containing the terms in the value.||description:“elevated escalated”|
|location||Matches events performed in a geographic region equal to the value.||description:“Los Angeles”|