Security Analytics has global audit logging capabilities. When you configure global audit logging, audit logs from all Security Analytics components collect in a centralized system, which converts them into the required format and forwards them to a third-party syslog server or a Log Decoder.
To view audit logs from the individual services, you can look at the local audit log locations.
Local Audit Log Locations
The following table shows the local directory paths of the audit logs for the Security Analytics user interface and the various Security Analytics services.
|Service/Module||Audit Log Location|
|Security Analytics User Interface|
(Security Analytics Web Server)
|The Security Analytics user interface sends audit logs to the following locations: |
|Security Analytics Core Services (Decoder, Log Decoder, Concentrator, Broker, and Archiver), Log Collector,|
Warehouse Connector, Workbench, and IPDB Extractor
|The Security Analytics Core services and similar services send audit logs to Syslog running on the local host. |
Path: /var/log/secure (JSON format)
Security Analytics Core services use the AUTHPRIV facility of syslog to write audit logs to syslog.
Incident Management, and
Event Stream Analysis (ESA)
|These services send audit logs to the following locations: |
Event Stream Analysis:
These services use the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (<application home directory>/logs/audit/audit.log).
|Health & Wellness, Event Source Management (ESM), and Appliance and Service Grouping (ASG)||These Services send audit logs to the following locations: |