Restoring and viewing audit results in the investigation center

The investigation center is an extension of the aggregators. Investigation users (when defined) can restore results of selected historic dates and perform forensic investigation. After the data is restored, the investigation users can define and view reports by using the standard Guardium® UI, only in the scope of the investigated dates.

Each Guardium appliance maintains a catalog of all the data and results archived. The catalog contains information about the archive, its location, and credentials to access them. The catalog is exported from the collectors and merged into a complete catalog on the aggregator as part of the aggregation process. As an investigation user, you select the dates for restore. The results for these dates are uploaded to the investigation center and merged into that investigation user’s view. In addition to merging collectors’ catalogs through the aggregator, you can export and import catalogs from Manage > Data Management.

Users and Roles

The special investigation role (inv) is available in an aggregator. Users with the inv role can perform forensic investigations on historic data. Only inv users can access the investigation center.

The role inv is a special role that connects the user to a separate, investigation-only internal database. It is usually combined with the role user, and in general it is incompatible with all other roles. The Run an Ad-Hoc Audit Process button is available on all report screens for all users except investigation (INV) user.

Important: The Last Name of the inv user must be one of the three investigation databases: INV_1, INV_2, or INV_3 (case-sensitive).

An investigation user uses the same query and report definitions as any other user would. The biggest difference is that the investigation user sees only the data that is uploaded for the investigation database. Multiple investigators can be configured to share an investigation database. Selected data can be restored from archive or viewed from the current database if the data was not purged yet. An investigation user can also restore archived audit process results and view them.

Investigation context

The investigation center supports three concurrent investigation periods, named INV_1, INV_2 and INV_3. Each can hold separate historic data, and provide the means of forensic investigation of that period. When logged in to the investigation center, the last name of the user indicates which investigation database you are viewing.

Restore audit results

In the Audit Process builder, you can specify whether the results of a process are archived or not. Only results of processes marked for archive, and for which all sign-offs are complete, are archived. Results of specific runs are packed, compressed, and stored. The location is recorded in the catalog. These results contain the results, the view, and sign-off trails, and the comments associated with these results. Archived results can be restored to an investigation center.

  1. Log in to the Guardium GUI as a user with the inv role.
  2. Go to Manage > Data Management > Audit Results Restore to open the Restored Data page. Any previously restored results are listed. You can click Discard Data to unmount all previously mounted results.
  3. Click Audit Results Restore to open the Results Restore Search Criteria page.
  4. Enter the From: date and the To: date for the time period that you want to search.
  5. Optionally, enter a Host name, Audit Process, or Run Number to further filter the result set.
  6. Click Search to view the result set.
  7. From the result set produced, check the Select box of those results you want to restore.
  8. Click Restore to restore the selected results. Depending on the number of results to restore, and whether the data sets are local to the system, the restore process can take a long time.
  9. You can monitor the progress of the restore process in View Restore Log.

View Restore Log

The restore log provides a view of the Restore of past and current restore attempts that are filtered for the current user.

Go to Manage > Reports > Data Management > My Restore Log to open My Restore Log.

Viewing Restored Audit Results

  1. Log in to the Guardium GUI as a user with the inv role.
  2. Go to Comply > Tools and Views > Audit Results Navigation to open the Audit Process Finder page.
  3. From the drop-down list, select a process.
  4. Click View to open another window and view the available reports for the audit results.