In the Global Audit Logging Configurations panel, you configure global audit logging by adding configurations that define how global audit logs are forwarded to external syslog systems. Global audit logs are forwarded to the selected Notification Server in your global audit logging configuration using the selected Notification Template.
Procedures related to global audit logging are described in Configure Global Audit Logging.
To access the Global Audit Logging Configurations panel:
- In the Security Analytics menu, select Administration > System.
- In the options panel, select Global Auditing.
The Global Audit Logging Configurations panel contains a toolbar and a grid. It also provides a view settings link that takes you to the Global Notifications panel where you can view or configure the notification server and template settings. A Syslog notification server and an Audit Logging notification template are required before you can create a global audit configuration.
The following table describes the icons available in the toolbar.
|Adds a global audit logging configuration.|
|Deletes a global audit logging configuration.|
|Edits a global audit logging configuration.|
The following table describes the features in the grid.
|To select an individual configuration, select the checkbox next to the configuration.|
To select all configurations, select the checkbox in the title bar of the grid.
|Name||Displays the name of the global auditing configuration. For example, you can name the configurations based on the destination of the global audit logs, such as HQ SA and My Syslog Server.|
|Notification Server||Displays the Syslog Notification Server selected as the destination for the global audit logs. If you want to forward global audit logs to a Log Decoder, create a Syslog type of Notification Server. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.|
|Notification Template||Displays the Audit Logging Notification Template selected for the configuration. It defines the format and message fields of the audit log entries. |
For Log Decoders, use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions and Supported CEF Meta Keys describes the available CEF meta keys.
For, third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available meta key variables.