What's New in 1.1
Version 1.1 has numerous new features, but the most important new features are:
Version 1.1 has a new primary window, the Dashboard. The Dashboard has seven tabs presenting different views of the analysis.
Version 1.1 supports filters to flag interesting events. For example you could flag any access to the file accounting_file except for accesses by the accounting program itself and your backup software. Audit Explorer uses a simple default filter file, but you can set Audit Explorer to use custom made filter files.
Version 1.1 shows individual shell processes, whether these were created by the Terminal application (each window or tab in a window is a shell) or remote login via ssh. Click on the shell, and you see the commands entered in that shell.
Version 1.1 lets you save the analysis results and reload the analysis later. The analysis file is a fraction of the size of the original BSM audit file, so you can keep them around pretty much forever. Also, loading the analysis file is much, much faster than parsing the original audit trail file.
ae_batch, the Command Line Tool
Version 1.1 has an embedded command line tool called ae_batch that lets you analyze BSM audit trail files and save the results. The primary purpose for including this tool is to let you automate the analysis of audit trail files. You can can set launchd to call ae_batch automatically, or you can call it from your own shell script. Furthermore, ae_batch can send a brief summary to an email address as well as automatically upload the full analysis results to a web server (i.e., call it an audit server).
For more information on using ae_batch, see workflows.