SA Cfg: Define a Global Audit Logging Configuration

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 2Show Document
  • View in full screen mode

This procedure is required only if you choose to set up centralized audit logging in your environment. These global audit logging configurations define how the global audit logs are forwarded to external syslog systems or Log Decoders. Audit logs are forwarded to the selected Notification Servers.


Before starting this procedure, configure the following to use for global audit logging:

  • Syslog Notification Server
  • Audit Logging Template

You configure the notification server and template on the Global Notifications panel. You can access the Global Notifications panel by clicking the view settings link on the Global Audit Logging Configurations panel. You can only define a Syslog type of Notification Server for global audit logging. For Log Decoders, use a Syslog type of Notification Server and a Common Event Format (CEF) audit logging template. You can use a default audit logging template or define your own template. You can create multiple audit logging templates and Syslog Notification Servers to use for your global audit logging configurations. 

If you are forwarding global audit logs to a Log Decoder, deploy the Common Event Format parser to your Log Decoder from Live.

Configure Global Audit Logging provides additional instructions.  

Add a Global Audit Logging Configuration

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Auditing.
    The Global Audit Logging Configurations panel is displayed.
  3. Click  to add a global audit logging configuration.
    The Add New Configuration dialog is displayed.
  4. In the Configuration Name field, type a unique name for the global audit logging configuration. For example, you can create a configuration for a specific type of global audit logging configuration, such as HQ SA for a Security Analytics headquarters configuration.
  5. In the Notifications section, select the syslog Notification Server to use for this configuration. The notification server is the destination to send the global audit logs.
  6. Select the audit logging Notification Template to use for this configuration. The Audit Logging template defines the format and audit log message fields to be sent. 
  7. Click Save.

Add New Configuration Dialog provides additional information and examples of the user actions logged. For a list of message types being logged by the various Security Analytics components, see Global Audit Logging Operation Reference.

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Define a Global Audit Logging Configuration