SA Cfg: Configure Global Audit Logging

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 2Show Document
  • View in full screen mode

Global Audit Logging is configured in the Global Audit Logging Configurations panel, which is accessed from Administration System view > Global Auditing. Before you can configure Global Audit Logging, you need to configure a Syslog Notification Server and an Audit Logging template. A Syslog Notification Server defines the destination to send the audit logs. An Audit Logging template defines the format and message fields of the audit log entry. 

The Global Audit Logging Configuration panel provides a view settings link that takes you to the Global Notifications panel (Administration System view > Global Notifications) where you can configure the Syslog Notification Server and Audit Logging template. Global Audit Logging Overview provides additional details. 

Perform the following procedures in the order shown to configure Global Audit Logging.

  1. Configure a Syslog Notification Server. 
Configure a Syslog Notification Server to use for Global Audit Logging. You can define a third-party syslog server or Log Decoder as a destination to receive the audit logs.
Configure a Destination to Receive Global Audit Logs provides instructions. Global Audit Logging configurations use the Syslog notification server type. If you want to forward audit logs to a Log Decoder, create a Notification Server of the Syslog type. 
  1. Select or configure an Audit Logging template to use.
Select an Audit Logging template for the Syslog notification server. You can use a default Audit Logging template or define your own audit logging template. Global Audit Logging configurations use the Audit Logging template type and a Syslog notification server.
Configure Templates for Notifications provides additional information.
For Log Decoders, use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions. 
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions andSupported Global Audit Logging Meta Key Variables describes the available variables.
  1. (Optional - Only if consuming with a Log Decoder) Deploy the Common Event Format parser to your Log Decoder from Live. 
Ensure that you have deployed and enabled the latest Common Event Format parser from Live. Step 3: Find and Deploy Live Resources and Step 3: Enable and Disable Log Parsers provide instructions. 
  1. Define a global audit logging configuration, which defines how the global audit logs are forwarded to external Syslog systems. 
Define a Global Audit Logging Configuration provides instructions. After you add a Global Audit Logging configuration, audit logs are forwarded to the selected Notification Server in the configuration.
  1. Verify that the global audit logs show the audit events. 
Test your audit logs to ensure that they show the audit events as defined in your audit logging template. Verify Global Audit Logs provides instructions.
You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging