SA Cfg: Define a Global Audit Logging Configuration

Document created by RSA Information Design and Development on Jul 22, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 4Show Document
  • View in full screen mode
  

This topic tells administrators how to define a global audit logging configuration. This procedure is required only if you choose to set up centralized audit logging in your environment. These global audit logging configurations define how the global audit logs are forwarded to external syslog systems or Log Decoders. Audit logs are forwarded to the selected Notification Servers.

Prerequisites

Before starting this procedure, configure the following to use for global audit logging:

  • Syslog Notification Server
  • Audit Logging Template

You configure the notification server and template on the Global Notifications panel. You can access the Global Notifications panel by clicking the view settings link on the Global Audit Logging Configurations panel. You can only define a Syslog type of Notification Server for global audit logging. For Log Decoders, use a Syslog type of Notification Server and a Common Event Format (CEF) audit logging template. You can use a default audit logging template or define your own template. You can create multiple audit logging templates and Syslog Notification Servers to use for your global audit logging configurations. 

If you are forwarding global audit logs to a Log Decoder, deploy the Common Event Format parser to your Log Decoder from Live.

Add a Global Audit Logging Configuration

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Auditing.
    The Global Audit Logging Configurations panel is displayed.
  3. Click  to add a global audit logging configuration.
    The Add New Configuration dialog is displayed.
  4. In the Configuration Name field, type a unique name for the global audit logging configuration. For example, you can create a configuration for a specific type of global audit logging configuration, such as HQ SA for a Security Analytics headquarters configuration.
  5. In the Notifications section, select the syslog Notification Server to use for this configuration. The notification server is the destination to send the global audit logs.
  6. Select the audit logging Notification Template to use for this configuration. The Audit Logging template defines the format and audit log message fields to be sent. 
  7. Click Save.

Add New Configuration Dialog provides additional information and examples of the user actions logged. For a list of message types being logged by the various Security Analytics components, see Global Audit Logging Operation Reference.

Edit a Global Audit Logging Configuration

This topic provides instructions on how to edit a global audit logging configuration. You can edit a global audit logging configuration to change the destination of the global audit logs for your user audits by selecting a different Notification Server. You can also change the format and message fields of the global audit log entries by selecting a different Notification Template. You make changes to the Notification Server or Template on the Global Notifications panel. You can access the Global Notifications panel by clicking the view settings link on the Global Audit Logging Configurations panel.

You cannot change which Security Analytics user actions are logged and sent in the global audit logs. 

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Auditing.
  3. In the Global Audit Logging Configurations panel, select a configuration to edit and click.
  4. In the Add New Configuration dialog, modify the global audit logging configuration as required. You can modify the Configuration Name and select a different NotificationServer or Template.
  5. Click Save.

Delete a Global Audit Logging Configuration

Deleting a global audit configuration does not delete the associated notification server and template. After you delete a global audit logging configuration, the forwarding of global audit logs specified in that configuration is discontinued.

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Auditing.
  3. In the Global Audit Logging Configurations panel, select a configuration to delete and click .
    A confirmation dialog is displayed.
  4. Click Yes.
    The selected configuration is deleted.
You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Define a Global Audit Logging Configuration

Attachments

    Outcomes