HI about compliance auditor==>audit rule...I have 2 question: (1)If I only create /modify/copy rule..but I could not delete a rule ? (2)If I set daily records...it only show all records yesterday...If I could query all today record when I set daily ?Because I even set hourly...I still cold not see today record.(after I modify reule from daily to hourly, I check compliance auditor, it still show records yesterday)
First, once you create a Compliance Auditor Rule, it can not be delete. This is by design. You can modify, but not delete.
Second - If you have Compliance Auditor Audit Rule properly configured, (we have to match the criteria in the rule to pull in events), the next option is the frequency of running that Rule. If you choose hourly, it should run each hour, pulling in events that have happened since the last time the Rule was run. Look at "Next Run" time, try changing that time to 2 or 3 minutes ahead of the time now, then watch the unifid.log (Set Log settings to 'Info' and to 'Show all Tasks'. If you do you should see something like this:
Secaudit = Compliance Auditor. The 'secaudit runFilters' task means we've run the configured Compliance Auditor Audit Rules and the events should show up in the Compliance Auditor soon, assuming that we matched events and pulled them in.
It could be a refresh issue. Try going out Compliance Auditor and back in after the rules ran.
Hope this helps.
wyldkao;236528 Wrote: > HI > about compliance auditor==>audit rule...I have 2 question: > (1)If I only create /modify/copy rule..but I could not delete a rule ? > (2)If I set daily records...it only show all records yesterday...If I > could query all today record when I set daily ?Because I even set > hourly...I still cold not see today record.(after I modify reule from > daily to hourly, I check compliance auditor, it still show records > yesterday) > > > wyldkao