Global Audit Logging Configurations Panel

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 13, 2017
Version 8Show Document
  • View in full screen mode
  

In the Global Audit Logging Configurations panel (Admin > System > Global Auditing), you configure global audit logging by adding configurations that define how global audit logs are forwarded to external syslog systems. Global audit logs are forwarded to the selected Notification Server in your global audit logging configuration using the selected Notification Template. 

Global Audit Logging provides auditors with consolidated visibility into user activities within NetWitness Suite in real-time from one centralized location.

Workflow

This workflow shows the necessary procedures to configure and verify Global Audit Logging.

Workflow for global audit logging configuration

Before you can define a Global Audit Logging configuration, you need to create a Syslog Notification Server on the Global Notifications > Server tab. The Syslog Notification Server is the destination that receives the global audit logs. Next, you need to select or define an Audit Logging template on the Global Notifications > Templates tab. The Audit Logging template defines the format and message fields of the audit logs sent to the Log Decoder or third-party syslog server. If you are consuming with a Log Decoder, deploy the Common Event Format parser to your Log Decoder from Live.

Note: You do not need to configure the Global Notifications > Output tab for Global Audit Logging. 

After you add a Global Audit Logging configuration here, audit logs are forwarded to the selected Notification Server in the configuration. Verify your audit logs to ensure that they show the audit events as defined in your audit logging template.

What do you want to do?

                                 
Role I want to ...Show me how
AdministratorCreate a Syslog Notification Server.

Configure a Destination to Receive Global Audit Logs

AdministratorChoose an Audit Logging template.

Define a Template for Global Audit Logging

AdministratorConfigure Global Audit Logging

Define a Global Audit Logging Configuration

For the complete procedure, see "Global Audit Logging - High-Level Procedure" in Configure Global Audit Logging.

AdministratorVerify Global Audit logs

Verify Global Audit Logs

Related Topics

Quick Look

The following example illustrates a Global Audit Logging configuration. The configuration defines how NetWitness Suite forwards global audit logs to external syslog systems.

Global audit configuration panel under system tab

                         
1Displays the Global Audit Logging Configurations panel.
2Name that identifies the Global Audit Logging configuration.
3Notification Server assigned to the Global Audit Logging configuration.
4Notification Template assigned to the Global Audit Logging configuration.
5Displays the Global Notifications panel where you set up Servers and Templates required to configure a Global Audit Logging configuration.

Toolbar

The following table describes the toolbar actions

                       
Icon Description

Adds a global audit logging configuration.

Deletes a global audit logging configuration. Deleting a global audit configuration does not delete the associated notification server and template. After you delete a global audit logging configuration, the forwarding of global audit logs specified in that configuration is discontinued.

Edits a global audit logging configuration. You can change the destination of the global audit logs for your user audits by selecting a different Notification Server. You can also change the format and message fields of the global audit log entries by selecting a different Notification Template. You cannot change which NetWitness Suite user actions are logged and sent in the global audit logs.

Configurations

The following table describes the listed configurations.

                           
Title Description

To select an individual configuration, select the checkbox next to the configuration.
To select all configurations, select the checkbox in the title bar of the table.
NameDisplays the name of the global auditing configuration. For example, you can name the configurations based on the destination of the global audit logs, such as HQ SA and My Syslog Server.
Notification ServerDisplays the Syslog Notification Server selected as the destination for the global audit logs. If you want to forward global audit logs to a Log Decoder, create a Syslog type of Notification Server. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.
Notification TemplateDisplays the Audit Logging Notification Template selected for the configuration. It defines the format and message fields of the audit log entries. 
For Log Decoders, use the Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions and Supported CEF Meta Keys describes the available CEF meta keys. 
For, third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available meta key variables.
Previous Topic:References
You are here
Table of Contents > References > Global Audit Logging Configurations Panel

Attachments

    Outcomes