Documentation

Unified search

Suggest Edits

What is the unified search?

The unified search gathers log files from EPM Cloud for Linux. Event log information is retrieved from databases.

Add a new Elasticsearch SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Elasticsearch from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Elasticsearch section.
  8. Select a Credential Option (either Username and password or API Key) and enter the required information.
  9. Optionally, enter a CloudID to define the instance location.

    ℹ️

    Note

    You can define the Elasticsearch instance location using two methods within EPM Cloud for Linux:

    • Directly specify the URL: This specifies the location of Elasticsearch but contains no information about the location of Kibana.
    • Provide a CloudID: This encodes the locations of both Elasticsearch and Kibana. Only connections using CloudID can identify the location to deploy the Kibana dashboard.
  10. Click Test Settings.
  11. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Add a new Logstash SIEM connection

  1. Click > Endpoint Privilege Management for Linux > SIEM Connections.
    The SIEM Connections page displays.
  2. In the SIEM Connections panel, click Add Connection.
    The Create New SIEM Connection page displays.
  3. On the Create New SIEM Connection page, select Logstash from the SIEM Connection Type drop-down list.
  4. Enter a connection Name.
  5. Enter the SIEM URL.
  6. Optionally, select the option to Verify certificate.
    Select this option if using an unknown signer (for example, if a self-signed certificate is in use).
  7. Expand the Logstash Connection Details section.
  8. Enter the Username and password.
  9. Click Test Settings.
  10. If the test is successful, click Save SIEM Connection.
    If the test is unsuccessful, check your settings and try again.

Run a unified search

  1. Click > Endpoint Privilege Management for Linux > Unified Search.
    The Unified Search page displays.
  2. Click Search to search everything, or enter a search query to display the list of events. Search options include:
    • Fuzzy / partials matches: Default. Searching for tree, for example, returns results with tree and pinetree.
    • Exact matches: Use double quotes. Searching for “sudo”, for example, and results only contain sudo.
    • Logical AND: Results must have both values, as in sudo AND emacs.
    • Logical OR: Results may contain either value, as in sudo OR emacs.
    • Logical NOT: Results will exclude value, as in sudo NOT visudo.
    • Operator precedence: Using brackets, as in (sudo AND emacs) or (sudo AND vi).
    • Date and time options: Use these to set ranges, including some defaults, and the ability to set begin and end times.

ℹ️

Note

When writing your query, you do not need to capitalize the logical operators (and, or, not).

The result count appears at the bottom right of the grid (as number of items). At the bottom of the grid, you can also find the page count, along with the page navigation icons.

View event details

  1. From the search results, click a row.
    The Event Details panel opens on the right and the event details display.

Download the search results

You can download the search results as a JSON or CSV file.

  1. From the search results, click the Download icon.
  2. Select JSON File or CSV File.
    The file downloads to your Download folder.

Updated 14 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.