SA Cfg: Add New Configuration Dialog

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by Shree Kulkarni on Jul 25, 2018
Version 6Show Document
  • View in full screen mode
 

In the RSA Security Analytics Administration System view Global Audit Logging Configurations panel, you can create multiple global audit logging configurations. These configurations are used to forward global audit logs to a central location to perform user audits.

Procedures related to global audit logging are described in Configure Global Audit Logging.

To access the Add New Configuration dialog:

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Global Auditing.
  3. In the Global Audit Logging Configurations panel, click .
    The Add New Configuration dialog is displayed.
    GALcfgDb.png

    The Notifications section enables you to select a syslog notification server for the global audit logging configuration and a template to use for the global audit logs. The template defines the details of the global audit log entries.

Features

The following table describes the features in the Add New Configuration and Edit Configuration dialogs.                             

FeatureDescription
Notifications Servers and Templates view settings linkTakes you to the Global Notifications panel where you can view or configure the notification server and template settings. A syslog notification server and an audit logging template are required before you can create a global audit configuration.
Configuration NameSpecifies the unique name used to identify the global audit logging configuration. 
Notification ServerSpecifies the syslog notification server to send the selected audit log information. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.
Notification TemplateSpecifies the template to use for the global audit logging configuration. The template should be an Audit Logging template.
For Log Decoders, use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions. 
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.
Reset Form buttonClears the configuration settings in the dialog.

User Actions Logged

The following table provides examples of some of the user actions logged from Security Analytics. These actions are the minimum user actions logged when applicable.                                                

User ActionDescription
User login success A user logs on with valid credentials.
User login failureA user tries to log on using invalid credentials.
User logouts A user logs out from Security Analytics (Administration > Sign Out) or a user logs out due to a session timeout.
Max login failures exceededA user tries to log on using invalid credentials five times. Five (5) is the number of Max Login Failures defined in Administration Security view > Settings tab (Administration > Security > Settings tab).
All UI pages accessedWhen a user accesses the Reporting module (Administration > Reports), it logs as [REP] Reports. When a user accesses the Administration System view (Administration > System), it logs as [ADM] System.
Committed configuration changes A user changes his or her password and or any security setting (Administration > Security > Settings tab).
Queries performed by the userA user performs an investigation query.
User access deniedA user tries to access a module and does not have permissions to access it.
Data export operationsA user exports data from the Events view (Investigation > Events > Actions > Export).


The following table shows examples of internal audit logs logged from Security Analytics.                                               

User ActionAudit Log Example
User login success2018-07-20 04:52:53,514 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logon" outcome: "Success" identity: "testuser" userRole: "Administrators+Administrators" userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" referrerURL: "10.42.43.32"
User access denied2018-07-20 04:57:36,799 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logon" outcome: "Failure" text: "Bad credentials" identity: "testuser" userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" referrerURL: "10.42.43.32"
User logouts2018-07-20 04:55:47,817 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logoff" outcome: "Success" identity: "testuser" userRole: "Administrators+Administrators"
Maximum Login failures exceeded2018-07-20 04:59:39,882 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: SECURITY operation: "Account Locked" outcome: "Success" identity: "Unknown identity"

User account unlock

2018-07-20 05:02:53,979 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: CONFIGURATION operation: "Modified" outcome: "Success" key: "user" text: "Unlocked User [testuser] by admin from 10.42.43.32" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

All UI pages accessed2018-07-20 04:52:53,990 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: SYSTEM operation: "Page Accessed" outcome: "Success" key: "[UNF] Dashboard" identity: "testuser" userRole: "Administrators+Administrators"

Committed configuration changes

2018-07-20 04:45:15,548 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: CONFIGURATION scope: "SecurityConfiguration" operation: "Modified" key: "SecurityConfiguration" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

2018-07-20 04:45:15,560 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: CONFIGURATION severity: 20000 scope: "SecurityConfiguration" operation: "commit" key: "securityConfiguration" text: "SecurityConfiguration changed by admin" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

Queries performed by the user2018-07-20 05:11:03,962 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "query" parameters: "NativeQueryMessage{ deviceId=6, isAppliancePath=false, timeout=null, collectionName=\'\', appliancePath=false, sdkPath=\'/sdk\', metaIdRange=FieldIdRange [ beginId=1, endId=293 ], size=25, flags=0, query=\'select sessionid where (device.class = \'firewall\') && time=\"2018-07-20 04:40:00\"-\"2018-07-20 05:09:59\"\', threshold=null}" outcome: "Success" identity: "testuser" userRole: "Administrators+Administrators"

Data export operations

2018-07-20 05:19:20,240 deviceVersion: "10.6.4.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "submitExtractLogs" parameters: "deviceId=6 collectionName=null predicateHandle=1 sessionIds=[1, 2, 3, 4, 5, 6, 7, 8, 9, 10] exportFormat=RAWLOGS startDate=null endDate=null id1=0 id2=0" outcome: "Success" identity: "testuser" userRole: "Administrators+Administrators"

 
The following table shows examples of Global Audit Logs using the default Common Event Format (CEF) template. After you create a Global Audit Logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected Audit Logging template.                                               

User ActionCEF Template
User login successJul 20 04:52:53 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|AUTHENTICATION|Logon|6|rt=Jul 20 2018 04:52:53 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success
User access deniedJul 20 04:57:36 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|AUTHENTICATION|Logon|6|rt=Jul 20 2018 04:57:36 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Failure msg=Bad credentials
User logoutsJul 20 04:55:47 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|AUTHENTICATION|Logoff|6|rt=Jul 20 2018 04:55:47 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success
Maximum Login failures exceededJul 20 04:59:39 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|SECURITY|Account Locked|6|rt=Jul 20 2018 04:59:39 suser=Unknown identity sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success

User account unlock

Jul 20 05:02:53 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|CONFIGURATION|Modified|6|rt=Jul 20 2018 05:02:53 suser=admin sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success msg=Unlocked User [testuser] by admin from 10.42.43.32

All UI pages accessedJul 20 04:52:53 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|SYSTEM|Page Accessed|6|rt=Jul 20 2018 04:52:53 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success

Committed configuration changes

Jul 20 04:45:15 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|CONFIGURATION|Modified|6|rt=Jul 20 2018 04:45:15 suser=admin sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER

Jul 20 04:45:15 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|CONFIGURATION|commit|6|rt=Jul 20 2018 04:45:15 suser=admin sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER msg=SecurityConfiguration changed by admin

Queries performed by the userJul 20 05:11:03 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|DATA_ACCESS|query|6|rt=Jul 20 2018 05:11:03 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success

Data export operations

Jul 20 05:19:20 sa CEF: 0|RSA|Security Analytics Audit|10.6.4.0|DATA_ACCESS|submitExtractLogs|6|rt=Jul 20 2018 05:19:20 suser=testuser sourceServiceName=SA_SERVER deviceExternalId=b72b3f2e-1582-4dc2-84e3-2e6f27fc9b0d deviceProcessName=SA_SERVER outcome=Success

 

The following table shows examples of global audit logs using the default human-readable format template on a third-party syslog server.        

User ActionHuman-Readable Format Output
User LoginJul 20 2018 04:52:53 sa Jul 20 2018 04:52:53 SA_SERVER [audit] Event Category: AUTHENTICATION Operation: Logon Outcome: Success Description: null User: testuser Role: Administrators+Administrators
User access deniedJul 20 2018 04:57:36 sa Jul 20 2018 04:57:36 SA_SERVER [audit] Event Category: AUTHENTICATION Operation: Logon Outcome: Failure Description: Bad credentials User: testuser Role: null

User Log out

Jul 20 2018 04:55:47 sa Jul 20 2018 04:55:47 SA_SERVER [audit] Event Category: AUTHENTICATION Operation: Logoff Outcome: Success Description: null User: testuser Role: Administrators+Administrators

Maximum Failure login exceededJul 20 2018 04:59:39 sa Jul 20 2018 04:59:39 SA_SERVER [audit] Event Category: SECURITY Operation: Account Locked Outcome: Success Description: null User: Unknown identity Role: null

User account unlock

Jul 20 2018 05:02:53 sa Jul 20 2018 05:02:53 SA_SERVER [audit] Event Category: CONFIGURATION Operation: Modified Outcome: Success Description: Unlocked User [testuser] by admin from 10.42.43.32 User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

All UI pages accessedJul 20 2018 04:52:53 sa Jul 20 2018 04:52:53 SA_SERVER [audit] Event Category: SYSTEM Operation: Page Accessed Outcome: Success Description: null User: testuser Role: Administrators+Administrators

Committed configuration changes

Jul 20 2018 04:45:15 sa Jul 20 2018 04:45:15 SA_SERVER [audit] Event Category: CONFIGURATION Operation: Modified Outcome: null Description: null User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Jul 20 2018 04:45:15 sa Jul 20 2018 04:45:15 SA_SERVER [audit] Event Category: CONFIGURATION Operation: commit Outcome: null Description: SecurityConfiguration changed by admin User: admin Role: Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY

Queries performed by the userJul 20 2018 05:11:04 sa Jul 20 2018 05:11:04 SA_SERVER [audit] Event Category: DATA_ACCESS Operation: query Outcome: Success Description: null User: testuser Role: Administrators+Administrators

Data export operations

Jul 20 2018 05:19:20 sa Jul 20 2018 05:19:20 SA_SERVER [audit] Event Category: DATA_ACCESS Operation: submitExtractLogs Outcome: Success Description: null User: testuser Role: Administrators+Administrators

For lists of message types being logged by the various Security Analytics components, see Global Audit Logging Operation Reference

You are here

Table of Contents > References > Global Audit Logging Configurations Panel > Add New Configuration Dialog

Attachments

    Outcomes