I am trying to create a report that uses the data imported from a Repo to the Audit database to report on specific Event IDs in the security logs. Is there a way to create a report where I can type in any Event ID say 1104 and pull the computer and date that the event was triggered? I have several event IDs that are being requested that are not in the report packs and wanted to know how to generate a report for them with Quest Knowledge Portal.
Any feedback is greatly appreciated!
Is your choice of Knowledge Portal deliberate and final? Because for such simple reports as you mentioned we now strongly recommend using Repository Viewer (RV) instead of Audit DB import + SSRS Report Packs + Knowledge Portal. You work with the Repository directly, and the design of reports in RV is much simpler, you can just drag and drop fields to create the layout, and then save report interactively or schedule it to pdf or csv. Please take a look on the 1104 report I've made in one minute in RV.
I see. The simple way of creating reports is described for example here: https://docs.microsoft.com/en-us/sql/reporting-services/tutorial-creating-a-basic-table-report-report-builder. You download Report Builder, connect to SSRS (http://yourSSRS/reportserver), create a report, specify the data source (use InTrust shared data source which is /QKP/SharedDataSources/InTrust Audit), then create a simple query and simple layout. The query may be like this:
SELECT Events.EventID ,Events.GatheringComputer ,Events.Category ,Events.[LocalTime]FROM EventsWhere EventID=1104
After that you save the report in some folder to make it available for SSRS and QKP users.
For more complex reports you should learn the InTrust Events Model and all the relations in the DB which is quite complex, or order new reports via Quest Custom Development.
Unfortunately, I cannot describe here the full technology of creating reports with parameters like this one. And if you "edit" this "Event Log Cleared" report in Report Builder you'll see it doesn't allow to launch the query designer because the query was created manually. I see 3 ways for you from this point: