In the RSA Security Analytics Administration System view Global Audit Logging Configurations panel, you can create multiple global audit logging configurations. These configurations are used to forward global audit logs to a central location to perform user audits.
Procedures related to global audit logging are described in Configure Global Audit Logging.
To access the Add New Configuration dialog:
- In the Security Analytics menu, select Administration > System.
- In the options panel, select Global Auditing.
- In the Global Audit Logging Configurations panel, click .
The Add New Configuration dialog is displayed.
The Notifications section enables you to select a syslog notification server for the global audit logging configuration and a template to use for the global audit logs. The template defines the details of the global audit log entries.
The following table describes the features in the Add New Configuration and Edit Configuration dialogs.
|Notifications Servers and Templates view settings link||The view settings link takes you to the Global Notifications panel where you can view or configure the notification server and template settings. A syslog notification server and an audit logging template are required before you can create a global audit configuration.|
|Configuration Name||Specifies the unique name used to identify the global audit logging configuration.|
|Notification Server||Specifies the syslog notification server to send the selected audit log information. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.|
|Notification Template||Specifies the template to use for the global audit logging configuration. The template should be an Audit Logging template.|
For Log Decoders, use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions.
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF).Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.
|Reset Form button||Clears the configuration settings in the dialog.|
User Actions Logged
The following table provides examples of some of the user actions logged from Security Analytics. These actions are the minimum user actions logged when applicable.
|User login success||A user logs on with valid credentials.|
|User login failure||A user tries to log on using invalid credentials.|
|User logouts||A user logs out from Security Analytics (Administration > Sign Out) or a user logs out due to a session timeout.|
|Max login failures exceeded||A user tries to log on using invalid credentials five times. Five (5) is the number of Max Login Failures defined in Administration Security view > Settings tab (Administration > Security > Settings tab).|
|All UI pages accessed||When a user accesses the Reporting module (Administration > Reports), it logs as [REP] Reports. When a user accesses the Administration System view (Administration > System), it logs as [ADM] System.|
|Committed configuration changes||A user changes his or her password and or any security setting (Administration > Security > Settings tab).|
|Queries performed by the user||A user performs an investigation query.|
|User access denied||A user tries to access a module and does not have permissions to access it.|
|Data export operations||A user exports data from the Events view (Investigation > Events > Actions > Export).|
For lists of message type being logged by the various Security Analytics components, see Global Audit Logging Operation Reference.