SA Cfg: Verify Global Audit Logs

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template. 

Prerequisites

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

Procedure

To view and verify the global audit logs if you are using a Log Decoder:

  1. In the Security Analytics menu, select Investigation > Events.
  2. From within the Navigate view, select the Log Decoder, and click Navigate. The global audit logs appear and display Security Analytics Audit within the logs.
  3. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
  4. Double-click a log and in the Event Reconstruction dialog, select View Meta.
    EvntRecViewMeta.png
  5. Verify that the meta that you want to audit is correct. 

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

 CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${category}|${oper ation}|${severity}| rt=${timestamp} src=${sourceAddress} spt=${sourcePort} suser=${identity} sourceServiceName=${deviceService} deviceExternalId=${deviceExternalId} dst=${destinationAddress} dpt=${destinationPort} dvcpid=${deviceProcessId} deviceProcessName=${deviceProcessName} outcome=${outcome} msg=${text}  

Example logs:

2015-04-09T18:45:46.313096+00:00 <hostname> CEF:0|RSA|Security Analytics Audit|10.5.0.0|AUTHENTICATION|login|6|rt=Apr 09 2015 18:45:46 src=10.20.252.197 spt=51366 suser=admin sourceServiceName=LOG_DECODER deviceExternalId=96b08193-a9d0-4a79-b362-87b56851f411 outcome=success

2015-04-09T18:45:46.322132+00:00 <hostname> CEF:0|RSA|Security Analytics Audit|10.5.0.0|AUTHENTICATION|logoff|6|rt=Apr 09 2015 18:45:46 src=10.20.204.33 spt=47690 suser=admin sourceServiceName=BROKER deviceExternalId= 314fb8c8-afe4-4249-9468-a36035008a52 outcome=success

2015-04-09T18:45:46.325792+00:00 <hostname> CEF:0|RSA|Security Analytics Audit|10.5.0.0|AUTHENTICATION|logoff|6|rt=Apr 09 2015 18:45:46 src=10.20.252.197 spt=59495 suser=admin sourceServiceName=CONCENTRATOR deviceExternalId= 96b08193-a9d0-4a79-b362-87b56851f411 outcome=success

Where <hostname> is the syslog header hostname (alias.host).

For CEF templates, if an audit event does not have a value for a field in the template, then the corresponding event arriving at the third party syslog server or Log Decoder will have the field removed.

Example Human-Readable Format Output

The following example shows global audit logs for an audit logging human-readable format template on a third-party syslog server.

Template:

 ${timestamp} ${deviceService} [audit] Event Category: ${category} Operation: ${operation} Outcome: ${outcome} Description: ${text} User: ${identity} Role: ${userRole} 

Example logs:

06 2015 14:16:04 REPORTING_ENGINE [audit] Event Category: CONFIGURATION Operation: Set Outcome: null Description: null User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Apr 06 2015 14:16:04 REPORTING_ENGINE [audit] Event Category: CONFIGURATION Operation: IPDBConfig Outcome: SUCCESS Description: Config update event occurred User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Apr 06 2015 14:16:04 SA_SERVER [audit] Event Category: DATA_ACCESS Operation: /admin/1/config Outcome: Success Description: null User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Verify Global Audit Logs

Attachments

    Outcomes