Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

NW Cfg: Verify Global Audit Logs

Document created by RSA Information Design and Development Employee on Sep 14, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 20Show Document
  • View in full screen mode
 

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template. 

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

To view and verify the global audit logs if you are using a Log Decoder:

  1. Go to Investigate > Events, select the Log Decoder service and click the submit query icon (the submit query icon) to the right of the query bar.

  2. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
  3. Double-click a log and in the Event Reconstruction dialog, select View Meta.
  4. Verify that the meta that you want to audit is correct. 

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|

t=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} tpt=%{transport Protocol} scope=%{scope} suser=%{identity} sourceServiceName=%{device Service} deviceExternalId=%{deviceExternalId} deviceProcessName=%{device ProcessName} outcome=%{outcome} msg=%{text} remoteAddress=%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason} arguments= %{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role} id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} accountProvider= %{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission= %{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup} userRole= %{userRole} key=%{Key} value=%{Value} alert=%{alert} incident=%{incident} action=%{action} notificationBinding=%{NotificationBinding} name=%{name} enabled=%{enabled} disabled=%{disabled} params=%{parameters}  

Example logs:

Jun 07 2019 09:06:05 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|logoff|6|rt=Jun 07 2019 09:06:05 src=101.101.101.
101 spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR
deviceExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success \r\n

Jun 07 2019 09:06:11 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|login|6|rt=Jun 07 2019 09:06:11 src=101.101.101.101
spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR device
ExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success userGroup=Administrators userRole=admin.owner,
aggregate,concentrator.manage,connections.manage,database.manage,everyone,
index.manage,logs.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,
sdk.packets,services.manage,storedproc.execute,storedproc.manage,sys.manage,
users.manage \r\n

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Verify Global Audit Logs

Attachments

    Outcomes