Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

NW Cfg: Verify Global Audit Logs

Document created by RSA Information Design and Development Employee on Sep 14, 2017Last modified by RSA Information Design and Development Employee on Sep 9, 2020
Version 21Show Document
  • View in full screen mode
 

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template. 

In version 11.5 and later, audit logging provides information about the aggregation account and the actual user who submitted the query. For example, the information is displayed as follows in the audit log:

User aggAccount (session 478, [::1]:1133, on behalf of <username of submitter>) has requested the SDK transforms.

This information is available through multiple levels of Brokers and Concentrators.

Note: If you are running a mixed-version environment, any version earlier than 11.5 will not provide the real user information.

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

To view and verify the global audit logs if you are using a Log Decoder:

  1. Go to Investigate > Events, select the Log Decoder service and click the submit query icon (the submit query icon) to the right of the query bar.

    the submit query icon

  2. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
  3. Double-click a log to open the reconstruction and click show Event Meta panel to open the Event Meta panel.
  4. Verify that the meta that you want to audit is correct. 

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|

t=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} tpt=%{transport Protocol} scope=%{scope} suser=%{identity} sourceServiceName=%{device Service} deviceExternalId=%{deviceExternalId} deviceProcessName=%{device ProcessName} outcome=%{outcome} msg=%{text} remoteAddress=%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason} arguments= %{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role} id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} accountProvider= %{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission= %{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup} userRole= %{userRole} key=%{Key} value=%{Value} alert=%{alert} incident=%{incident} action=%{action} notificationBinding=%{NotificationBinding} name=%{name} enabled=%{enabled} disabled=%{disabled} params=%{parameters}

Example logs:

Jun 07 2019 09:06:05 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|logoff|6|rt=Jun 07 2019 09:06:05 src=101.101.101.
101 spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR
deviceExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success \r\n

Jun 07 2019 09:06:11 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|login|6|rt=Jun 07 2019 09:06:11 src=101.101.101.101
spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR device
ExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success userGroup=Administrators userRole=admin.owner,
aggregate,concentrator.manage,connections.manage,database.manage,everyone,
index.manage,logs.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,
sdk.packets,services.manage,storedproc.execute,storedproc.manage,sys.manage,
users.manage \r\n

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Verify Global Audit Logs

Attachments

    Outcomes