ESA Config: View Audit Logs and Verify ESA Component Versions

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

This topic provides details about audit logging and instructions to verify the versions of the ESA components installed. These procedures apply to ESA Correlation Rules.

View Audit Logs for Rules

Audit logging allows you to view details about rules that are created and changed in NetWitness Platform. There are local audit logs in each of the services in NetWitness Platform. When Global Audit Logging is configured, NetWitness Platform audit logs collect in a centralized system that converts them into the required format and forwards them to an external syslog system.

For details on how to access your local audit logs, see "Local Audit Log Locations" in the System Configuration Guide. To set up Global Audit Logging, see "Configure Global Audit Logging" in the System Configuration Guide.

The following Syslog global audit log examples show create, update, remove rule, and delete deployment actions for the ESA Correlation service (correlation-server).

Create Action

09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={EngineSettings=}}09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={EngineSettings=}}09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/module/settings/set, success=true, identity=admin, parameters={Arguments=[ModuleSettings(id=null, name=a-d-v:multiple_failed-login_successful-login-rule-module, displayName=ADV: Multiple_FailedLogin_SuccessfulLogin, enabled=true, eplStatements=[module GHmoduleId15;@Name('GHmoduleName15') @Description('GHmoduleDesc15') @RSAAlert(oneInSeconds=0, identifiers=

{"user_dst"}

) SELECT * FROM Event(ec_outcome in ('Success', 'Failure') AND ec_activity='Logon').win:time(5 min) match_recognize (measures F as f_array, S as s pattern (F F F F F+ S+) define F as F.ec_outcome= 'Failure', S as S.ec_outcome= 'Success');], queries=[], maxConstituentEvents=null, logFiredRules=null, trial=false, alert=ModuleSettings.Alert(respondEnabled=true, severity=9, notificationReasons=[], uniqueIdentifiers=[], rateLimit=RateL...09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={ModuleSettings=}}

Update Action

09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=update, success=true, identity=admin, parameters={EngineSettings=5b9fce315068213b17760553}}09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=update, success=true, identity=admin, parameters={EngineSettings=5b9fce315068213b17760553}}09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/set, success=true, identity=admin, parameters={Arguments=[EngineSettings(id=null, name=endpoint-sa-managed, displayName=endpoint, description=endpoint, enabled=true, eventType=Event, instanceId=1abc9465-d0d4-48a9-9205-414066fabc2f, streamId=5b9fce314a5b1f5951babc29, moduleIds=[5b9fce314a5b1f5951babc2a, 5b9fce314a5b1f5951babc2b], enableStatementMetric=null)]}}

Remove Rule Action

09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/stream/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcf7a4a5b1f5951babc2c]}}09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/stream/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcf7a4a5b1f5951babc2c]}}09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=remove, success=true, identity=admin, parameters={StreamSettings=5b9fcf7a4a5b1f5951babc2c}}

Delete Deployment Action

09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcfcb4a5b1f5951babc2f]}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcfcb4a5b1f5951babc2f]}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=remove, success=true, identity=admin, parameters={EngineSettings=5b9fcfcb4a5b1f5951babc2f}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/stop, success=true, identity=admin, parameters={Arguments=[madhavi-sa-managed]}}

Each log contains the following parameters:

  • Time stamp: Time the rule was modified. Example: 09-17-2018 08:54:21

  • System Info: Information about the system where the action was performed, such as IP address. Example: 10.0.0.0

  • deviceVersion: Version of your ESA service. Example: 11.3.0.0

  • deviceService: Example: correlation-server

  • action: Examples: create, update, remove

  • Parameters: Placeholder for the following keys:

    • Epl Module Identifier (moduleIds): unique identifier for the rules. Example: 5b9fce314a5b1f5951babc2a, 5b9fce314a5b1f5951babc2b

    • enabled: Shows if the rule is enabled or not. Example: enabled=true

    • respondEnabled: Shows if alerts from this rule can go to the Respond view. Example: respondEnabled=true

    • trial: Displays if the rule is configured as a trial rule or not. Example: trial=false

    • EplStatements: Displays the rule syntax. Example:

      eplStatements=[module GHmoduleId15;@Name('GHmoduleName15') @Description('GHmoduleDesc15') @RSAAlert(oneInSeconds=0, identifiers=

      {"user_dst"}

      ) SELECT * FROM Event(ec_outcome in ('Success', 'Failure') AND ec_activity='Logon').win:time(5 min) match_recognize (measures F as f_array, S as s pattern (F F F F F+ S+) define F as F.ec_outcome= 'Failure', S as S.ec_outcome= 'Success');]

    • identity: Example: admin

Verify ESA Correlation Version

  1. Use ssh to connect to the ESA Correlation service and log in as the root user.
  2. Type the following command and press ENTER:
    rpm -qa | grep rsa-nw-correlation-server
    The ESA Correlation server version is displayed.

You are here
Table of Contents > Additional ESA Correlation Rules Procedures > View Audit Logs and Verify ESA Component Versions

Attachments

    Outcomes