SA Cfg: Define a Template for Global Audit Logging

Document created by RSA Information Design and Development on Jul 22, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 4Show Document
  • View in full screen mode
  

This topic provides instructions on how to define an audit logging template to use for Global Audit Logging. Before you configure Global Audit Logging, configure a Syslog notification server and select an Audit Logging template. You can choose to use a default audit logging template or you can define your own template. 

Security Analytics version 10.5 includes two default audit logging templates:

  • 10.5 Default Audit CEF Template: You can use this template for Log Decoders and third-party syslog servers.
  • 10.5 Default Audit Human-Readable Format: You can use this template only for third-party syslog servers. Do not forward messages from this template to a Log Decoder.

The first procedure provides instructions on how to define an audit logging template for a Log Decoder. The audit logging template defines the format and message fields of the audit logs sent to the Log Decoder or third-party syslog server.

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

  • Include the CEF headers in the template.
  • Use only the extensions (Key=Value) listed in the Supported CEF Meta Keys table.
  • Ensure that the extensions are in the key=${string}<space>key=${string} format. 

The second procedure provides instructions on how to define a custom global audit logging template in human-readable format for a third-party syslog server. For third-party syslog servers, you can define your own format (CEF or non-CEF).

Define a Global Audit Logging Template for a Log Decoder

You can use the 10.5 Default Audit CEF Template to send global audit logs to a Log Decoder. If you want to define your own template, follow this procedure.

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Notifications.
  3. Click the Templates tab.
  4. Click  to configure a template.
  5. In the Define Template dialog, provide the following information:
    1. In the Name field, type the name for the template.
    2. In the Template Type field, select the Audit Logging template type.
    3. In the Description field, type a brief description for the template.
    4. In the Template field, enter the format for the audit logging template.
      The following format is a customized template provided as an example. It differs from the default CEF template.
       CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${category}|${oper ation}|${severity}| rt=${timestamp} src=${sourceAddress} spt=${sourcePort} suser=${identity} sourceServiceName=${deviceService} deviceExternalId=${deviceExternalId} dst=${destinationAddress} dpt=${destinationPort} dvcpid=${deviceProcessId} deviceProcessName=${deviceProcessName} outcome=${outcome} msg=${text}  
      The highlighed CEF syslog header is required to conform to the CEF standard and is a requirement for the CEF parser in the Log Decoder. The other keys are optional and you can configure them. See all the supported meta keys that are supported by the CEF parser in the Log Decoder in the Supported CEF Meta Keys table.

Note: Use all of the extensions in the following format: 
deviceProcessName=${deviceProcessName} outcome=${outcome}
Include a <space> between each key=${string} pair in the extension keys section. 

  1. Click Save.

After you define the CEF audit logging template, ensure that you have deployed and enabled the latest Common Event Format (CEF) parser from Live. "Find and Deploy Live Resources" and "Enable and Disable Log Parsers" provide instructions. 

Note: If you need to use a specific meta key for Investigations and Reporting, ensure that the meta keys that you select are indexed in the table-map.xml file on the Log Decoder. If they are not indexed, follow the Maintain the Table Map Files topic in the Host and Services Configuration Guide procedure to update the table mappings. Ensure that the meta keys are also indexed in the index-concentrator.xml on the Concentrator.Edit a Service Index File topic in the Host and Services Configuration Guideprovides additional information.

Define a Custom Global Audit Logging Template

For third-party syslog servers, you can define your own template format (CEF or non-CEF). You can use the 10.5 Default Audit Human-Readable Format template to send global audit logs to a third-party syslog server in a format that is easier to read than the CEF format. If you want to define your own template in human-readable format, follow this procedure.

For Log Decoders, you must use a CEF template with some specific requirements. The Define an Audit Logging Template for a Log Decoder procedure above provides instructions for creating a template in CEF format.

To define a custom global audit logging template in human-readable format:

  1. In the Security Analytics menu, select Administration > System.
  2. In the left navigation panel, select Notifications.
  3. Click the Templates tab.
  4. Click  to configure a template.
  5. In the Define Template dialog, provide the following information:
    1. In the Name field, type the name for the template.
    2. In the Template Type field, select the Audit Logging template type.
    3. In the Description field, type a brief description for the template.
    4. In the Template field, enter the format for the audit logging template. The following example is in human-readable format with selected meta key variables.
       ${timestamp} ${deviceService} [audit] Event Category: ${category} Operation: ${operation} Outcome: ${outcome} Description: ${text} User: ${identity} Role: ${userRole}  
      You can use any of the meta key variables that are supported by global audit logging shown in the Supported Global Audit Logging Meta Key Variables table.
  6. Click Save.

The following example shows global audit logs in human-readable format for this template:

06 2015 14:16:04 REPORTING_ENGINE [audit] Event Category: CONFIGURATION Operation: Set Outcome: null Description: null User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Apr 06 2015 14:16:04 REPORTING_ENGINE [audit] Event Category: CONFIGURATION Operation: IPDBConfig Outcome: SUCCESS Description: Config update event occurred User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Apr 06 2015 14:16:04 SA_SERVER [audit] Event Category: DATA_ACCESS Operation: /admin/1/config Outcome: Success Description: null User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Next Step

Define a Global Audit Logging Configuration provides instructions for defining a global audit logging configuration for Security Analytics.

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Define a Template for Global Audit Logging

Attachments

    Outcomes