Viewing auditing events

Auditing events are stored in the core database in XML format. When you double-click an auditing event to view it, you see the logged XML items associated with that event. The items logged depend on the auditing event.

The default auditing event queries cover these time periods:

• Last 30 days
• Last 7 days
• Last day

To view auditing events with the default queries

1. Click Tools > Administration > Auditing.
2. In the Default queries tree, click the query you want.

You can also create custom filters for the auditing queries. For more information, see Creating filters for auditing event queries.

Identifying what changed in an auditing event

Some auditing events can involve many changes, such as those involving agent setting changes. In these cases, it can be hard to identify in the XML what changed in the audited event.

To help with this, the auditing tool includes support for a diff tool of your choice that you can use to compare an audited event XML file with the event's state before it was changed.

To configure auditing diff tool support

1. Click Tools > Administration > Auditing.
2. In the auditing toolbar, click the Enter diff tool configuration button.
3. Enter the Compare tool path to your diff tool executable.
4. Customize the command line for your diff tool if necessary. %1 is the selected auditing event's original XML data and %2 is the selected auditing event's current XML data. You must include both the %1 and %2 parameters for the diff to work.
5. Click the Save button.

To view auditing event XML data differences

1. Double click the auditing event you want to check for differences.
2. In the Audit entry detail dialog box, click the Differences button.
3. View the differences in the diff tool you configured.