NW Cfg: Configure Centralized Audit Logging (Version 11.3.1 or Later)

Document created by RSA Information Design and Development on Jul 9, 2019Last modified by RSA Information Design and Development on Jul 17, 2019
Version 2Show Document
  • View in full screen mode
  

Configure Centralized Audit Logging (Version 11.3.1 or Later)

RSA NetWitness Platform collects audit logs from all the NetWitness services and aggregates it into a single file in a centralized location on the NetWitness Admin Server. This aggregated log file provides the advantage for faster access and easy analysis of the audit logs.

The aggregated logs from all services are sent to the following centralized location:

  • /var/netwitness/logstash/logs/rsa-netwitness-audit.log (JSON format)
  • Syslog running on the local host (human-readable format)

Centralized audit logging is enabled by default. To forward the aggregated logs to the external syslog system (a third-party Syslog server or Log Decoder), you must configure the Global Audit logging in ADMIN > System > Global Auditing. The aggregated logs are sent in the format specified in the selected Audit Logging template. A Syslog Notification Server configuration defines the destination to send the audit logs. To forward the audit logs to a Log Decoder, configure a Syslog type of Notification Server for the Log Decoder.

Filtering the Aggregated Logs

Before the logs are aggregated, standard filters are applied to the logs to reduce redundancy and filter out logs that are not useful. The filters contain entries that control the content written to the aggregated log file. The following default filters are available in /etc/logstash/ location.

  • json-filter-action.yaml
  • json-filter-category.yaml

json-filter-action.yaml - This filter blacklists the log messages based on the operation meta key and stops the log message being written to aggregated log file. For example, if "/rsa/process/ready":"true" is entered in json-filter-action.yaml, any raw log that contains "/rsa/process/ready" in the operation meta key is blacklisted and not written to aggregated log file.

Note: If you do not want to apply filters, then delete all the default entries and replace with {} character. Note that this increases the log size and the logs may be redundant.

json-filter-category.yaml - This filter whitelists the log messages based on the category meta key and writes the log message to the aggregated log file. For example, if '\b(?i)SECURITY\b':"true" is entered in json-filter-category.yaml, any raw log that contains 'SECURITY' in the category meta key is whitelisted and written to the aggregated log file.

Log Retention Policy

The aggregated log file is retained as per the following default settings:

  • If the file size reaches 250 MB, the file is compressed as a single zip file.
  • If the number of zip files exceed 90, the oldest zip file in the directory is automatically deleted.

You can modify the log retention policy in the file logstash available in /etc/logrotate.d/ location.

Note: The size of the aggregated log file depends on the filters applied, so make sure to set up filters correctly for optimal directory space.

Disable Centralized Audit Logging

If you do not want the logs to be aggregated, in the json-filter-category.yaml filter, delete all the default entries and replace with the {} character.

You are here
Table of Contents > Standard Procedures > Configure Centralized Audit Logging

Attachments

    Outcomes