SA: Configure Global Audit Logging

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

Overview

Global Audit Logging provides Security Analytics Auditors with consolidated visibility into user activities within Security Analytics in real-time from one centralized location. This visibility includes audit logs gathered from the Security Analytics system and the different services throughout the Security Analytics infrastructure. 

Security Analytics audit logs collect in a centralized system that converts them into the required format and forwards them to an external syslog system. The external syslog system can be a third-party syslog server or a Log Decoder.   

You configure global audit logging in the Global Audit Logging Configurations panel. An audit logging template defines the format and message fields of the audit log entries. A Syslog Notification Server configuration defines the destination to send the audit logs. If you want to forward audit logs to a Log Decoder, configure a Syslog type of Notification Server for the Log Decoder.

The following are some of the user actions logged from Security Analytics (SA):

  • User login success: The SA server authenticates the user's identity and the action is logged in the audit logs file.
    For example,
    2017-03-22 14:16:19,329 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logon" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY" userAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" referrerURL: "127.0.0.1"
  • User access denied: The SA server authenticates the user's identity and on login failure the action is logged in the audit logs file. For example,
    2017-03-22 14:17:13,712 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logon" outcome: "Failure" text: "Invalid credentials" identity: "admin" userAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" referrerURL: "127.0.0.1"
  • User logouts: The SA server authenticates the logout action and the action is logged in the audit logs file.
    For example,
    2017-03-22 14:15:08,919 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logoff" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"
  • Maximum Login failures exceeded: The SA server authenticates the login action and on several failure login attempts, the action is logged in the audit logs file.
    For example,
    2017-03-22 15:26:58,987 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: SECURITY operation: "Account Locked" outcome: "Success" identity: "Unknown identity" 2017-03-22 15:26:58,987 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logon" outcome: "Failure" text: "Invalid credentials" identity: "testuser" userAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" referrerURL: "127.0.0.1"
  • User account unlock: The SA server allows the user to unlock the account and the action is logged in the audit logs file.
    For example,
    2017-03-22 15:29:16,681 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "HttpRequest" parameters: "{referrer=https://10.101.65.62/admin/security, method=POST, userAgent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36, queryString=, uri=/admin/system/local/users/unlock, remoteAddress=127.0.0.1}" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"
  • All UI pages accessed: The SA server logs system entries related to all the accessed UI pages on the audit logs file.
    For example,
    2017-03-14 19:28:36,253 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: SYSTEM operation: "Page Accessed" outcome: "Success" key: "[INV] \"concen1.vapp.mintberrycrunch.lol - Concentrator\" Event List" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

    2017-03-22 15:28:05,432 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: SYSTEM operation: "Page Accessed" outcome: "Success" key: "[UNF] Dashboard" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

    2017-03-22 15:28:05,456 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "HttpRequest" parameters: "{referrer=https://10.101.65.62/login?failed, method=GET, userAgent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36, queryString=, uri=/unified/dashboard, remoteAddress=127.0.0.1}" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

  • Committed configuration changes: The SA server manages all the configuration changes (for instance, when a user changes their own password) and logs its findings into the audit logs file.
    For example,
    2017-03-22 15:35:24,749 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: MANAGEMENT operation: "set" outcome: "Success" key: "/com.netwitness.spectrum/Configuration/ModuleSandboxConfiguration/moduleSandboxConfig/PDFIgnored" value: "type: Boolean\nboolean: false\n" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"
  • Queries performed by the user: The SA server logs all queries performed by the user in the audit logs file.
    For example,
    2017-03-22 16:03:16,998 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "query" parameters: "NativeValuesMessage{ deviceId=7, isAppliancePath=false, timeout=null, collectionName=\'\', appliancePath=false, sdkPath=\'/sdk\', callbackChannel=\'/meta/values/7/1490198595055/domain.src;collectionName=\', returnValues=false, fieldName=\'domain.src\', fieldIdRange=FieldIdRange [ beginId=1, endId=6102022 ], threshold=100000, size=20, flags=6401, where=\'time=\"2017-03-19 13:39:00\"-\"2017-03-20 13:38:59\"\', options=InvestigationOptions{options={date_range=null, total_by=SESSION_COUNT, order_by=TOTAL, time_range_type=LAST_24_HOURS, sort_order=DESCENDING}, dateRange=null, orderBy=TOTAL, sortOrder=DESCENDING, timeRangeType=LAST_24_HOURS, totalBy=SESSION_COUNT}, metaAliases={}, aggregateFunction=\'null\', aggregateFieldName=\'null\', min=null, max=null}" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"
  • Data export operations: The SA server allows data export operations to be performed and the actions are logged in the audit logs file. For example,
    2017-03-22 16:06:24,025 deviceVersion: "10.6.3.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "submitExtractPcap" parameters: "deviceId=7 collectionName= predicateHandle= sessionIds=[279158] startDate=null endDate=null id1=1 id2=0" outcome: "Success" identity: "admin" userRole: "Administrators+Administrators+PRIVILEGED_CONNECTION_AUTHORITY"

After you create a global audit logging configuration, audit logs containing these user actions automatically go to the external syslog system in the format specified in the selected Audit Logging template. You can create multiple global audit logging configurations for different destinations that use different templates. For example, you can create a global audit logging configuration for an external Syslog server with a template that contains all of the available meta keys and another configuration for a Log Decoder with a template that contains selected meta keys. 

For Log Decoders, you use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions and Supported CEF Meta Keys describes the CEF meta keys available to use in the audit logging templates.

For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.

Auditors can view the audit logs on the selected Log Decoder or third-party syslog server. If using a Log Decoder, auditors can view the audit logs using Security Analytics Investigations or Reports. 

The following figure shows global audit logs in Investigations (Investigations > Events).

For examples of some of the user actions logged, see Add New Configuration Dialog. For a list of message types being logged by the various Security Analytics components, seeGlobal Audit Logging Operation Reference

Global Audit Logging - High-Level Procedure

Global Audit Logging is configured in the Global Audit Logging Configurations panel, which is accessed from Administration System view > Global Auditing. Before you can configure Global Audit Logging, you need to configure a Syslog Notification Server and an Audit Logging template. A Syslog Notification Server defines the destination to send the audit logs. An Audit Logging template defines the format and message fields of the audit log entry. 

The Global Audit Logging Configuration panel provides a view settings link that takes you to the Global Notifications panel (Administration System view > Global Notifications) where you can configure the Syslog Notification Server and Audit Logging template. 

Perform the following procedures in the order shown to configure Global Audit Logging.

                             
ProceduresReference / Instructions
  1. Configure a Syslog Notification Server.
Configure a Syslog Notification Server to use for Global Audit Logging. You can define a third-party syslog server or Log Decoder as a destination to receive the audit logs.
Configure a Destination to Receive Global Audit Logs. Global Audit Logging configurations use the Syslog notification server type. If you want to forward audit logs to a Log Decoder, create a Notification Server of the Syslog type. 
  1. Select or configure an Audit Logging template to use.
Select an Audit Logging template for the Syslog notification server. You can use a default Audit Logging template or define your own audit logging template. Global Audit Logging configurations use the Audit Logging template type and a Syslog notification server.
Configure Templates for Notifications provides additional information.
For Log Decoders, use the 10.5 Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions. 
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.
  1. (Optional - Only if consuming with a Log Decoder) Deploy the Common Event Format parser to your Log Decoder from Live.
Ensure that you have deployed and enabled the latest Common Event Format parser from Live. Find and Deploy Live Resources and Enable and Disable Log Parsers provide instructions. 
  1. Define a global audit logging configuration, which defines how the global audit logs are forwarded to external Syslog systems. 
Define a Global Audit Logging Configuration provides instructions. After you add a Global Audit Logging configuration, audit logs are forwarded to the selected Notification Server in the configuration.
  1. Verify that the global audit logs show the audit events.
Test your audit logs to ensure that they show the audit events as defined in your audit logging template. Verify Global Audit Logs provides instructions.
You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging

Attachments

    Outcomes