Question on Queries

js88888888 · ‎10-13-2008

I have my Windows domain controllers set up in MARS and have verified logs are being pulled. I'm unclear as to what MARS can do for me if I'm looking to run a query on a particular active directory user. Is MARS polling for just failed logons or all logon events? How would I go about querying for all logon events (success/fail) for a particular user (if that's possible)?

thanks!

js

mhellman · ‎10-13-2008

I've never used the pull method, but based on the user guide it should pull events from the security, application, and system event logs.

If you don't know what event types you're after and you're in a smaller shop, probably the easiest way to see all events for a particular user is to select their userid in the "reported user" column of the query. You can use the default query type of "event types ranked by sessions". You can then click on the event type you're interesting in to begin drilling down.

js88888888 · ‎10-16-2008

thanks much.

Can you give me just a little more guidance? I run the query, get the results, but am not sure how to go about choosing which report, etc. I would just like a single report for a user that lists all activity within the query time range. Is that possible out of the box or do I have to create some sort of custom report?

mhellman · ‎10-17-2008

I don't think it will be as functional as you'd like it to be, but I would recommend using a keyword for that. The reason being that a user will typically have multiple MARS username entries because of differences between systems (some have domain context, some don't, etc).

Use the default result format "event types ranked by sessions". enter the username in the keyword column. enter your date range. press enter. Is that close to what you're looking for?