This procedure is required only if you choose to set up centralized audit logging in your environment. These global audit logging configurations define how the global audit logs are forwarded to external syslog systems or Log Decoders. Audit logs are forwarded to the selected Notification Servers.
Before starting this procedure, configure the following to use for global audit logging:
- Syslog Notification Server
- Audit Logging Template
You configure the notification server and template on the Global Notifications panel. You can access the Global Notifications panel by clicking the view settings link on the Global Audit Logging Configurations panel. You can only define a Syslog type of Notification Server for global audit logging. For Log Decoders, use a Syslog type of Notification Server and a Common Event Format (CEF) audit logging template. You can use a default audit logging template or define your own template. You can create multiple audit logging templates and Syslog Notification Servers to use for your global audit logging configurations.
If you are forwarding global audit logs to a Log Decoder, deploy the Common Event Format parser to your Log Decoder from Live.
Configure Global Audit Logging provides additional instructions.
Add a Global Audit Logging Configuration
- In the Security Analytics menu, select Administration > System.
- In the options panel, select Global Auditing.
The Global Audit Logging Configurations panel is displayed.
- Click to add a global audit logging configuration.
The Add New Configuration dialog is displayed.
- In the Configuration Name field, type a unique name for the global audit logging configuration. For example, you can create a configuration for a specific type of global audit logging configuration, such as HQ SA for a Security Analytics headquarters configuration.
- In the Notifications section, select the syslog Notification Server to use for this configuration. The notification server is the destination to send the global audit logs.
- Select the audit logging Notification Template to use for this configuration. The Audit Logging template defines the format and audit log message fields to be sent.
- Click Save.
Add New Configuration Dialog provides additional information and examples of the user actions logged. For a list of message types being logged by the various Security Analytics components, see Global Audit Logging Operation Reference.