In the Global Audit Logging Configurations panel ( (Admin) > System > Global Auditing), you configure global audit logging by adding configurations that define how global audit logs are forwarded to external syslog systems. Global audit logs are forwarded to the selected Notification Server in your global audit logging configuration using the selected Notification Template.
Global Audit Logging provides auditors with consolidated visibility into user activities within NetWitness Platform in real-time from one centralized location.
This workflow shows the necessary procedures to configure and verify Global Audit Logging.
Before you can define a Global Audit Logging configuration, you need to create a Syslog Notification Server on the Global Notifications > Server tab. The Syslog Notification Server is the destination that receives the global audit logs. Next, you need to select or define an Audit Logging template on the Global Notifications > Templates tab. The Audit Logging template defines the format and message fields of the audit logs sent to the Log Decoder or third-party syslog server. If you are consuming with a Log Decoder, deploy the Common Event Format parser to your Log Decoder from Live.
After you add a Global Audit Logging configuration here, audit logs are forwarded to the selected Notification Server in the configuration. Verify your audit logs to ensure that they show the audit events as defined in your audit logging template.
|Role||I want to ...||Show me how|
|Administrator||Create a Syslog Notification Server.|
|Administrator||Choose an Audit Logging template.|
|Administrator||Configure Global Audit Logging|| |
For the complete procedure, see "Global Audit Logging - High-Level Procedure" in Configure Global Audit Logging.
|Administrator||Verify Global Audit logs|
- Troubleshoot Global Audit Logging
- Add New Configuration Dialog
- Supported CEF Meta Keys
- Supported Global Audit Logging Meta Key Variables
- Global Audit Logging Operation Reference
- Local Audit Log Locations
The following example illustrates a Global Audit Logging configuration. The configuration defines how NetWitness Platform forwards global audit logs to external syslog systems.
|1||Displays the Global Audit Logging Configurations panel.|
|2||Name that identifies the Global Audit Logging configuration.|
|3||Notification Server assigned to the Global Audit Logging configuration.|
|4||Notification Template assigned to the Global Audit Logging configuration.|
|5||Displays the Global Notifications panel where you set up Servers and Templates required to configure a Global Audit Logging configuration.|
The following table describes the toolbar actions
|Adds a global audit logging configuration.|
|Deletes a global audit logging configuration. Deleting a global audit configuration does not delete the associated notification server and template. After you delete a global audit logging configuration, the forwarding of global audit logs specified in that configuration is discontinued.|
|Edits a global audit logging configuration. You can change the destination of the global audit logs for your user audits by selecting a different Notification Server. You can also change the format and message fields of the global audit log entries by selecting a different Notification Template. You cannot change which NetWitness Platform user actions are logged and sent in the global audit logs.|
The following table describes the listed configurations.
|To select an individual configuration, select the checkbox next to the configuration.|
To select all configurations, select the checkbox in the title bar of the table.
|Name||Displays the name of the global auditing configuration. For example, you can name the configurations based on the destination of the global audit logs, such as HQ SA and My Syslog Server.|
|Notification Server||Displays the Syslog Notification Server selected as the destination for the global audit logs. If you want to forward global audit logs to a Log Decoder, create a Syslog type of Notification Server. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.|
|Notification Template||Displays the Audit Logging Notification Template selected for the configuration. It defines the format and message fields of the audit log entries. |
For Log Decoders, use the Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions and Supported CEF Meta Keys describes the available CEF meta keys.
For, third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available meta key variables.