NW Cfg: Verify Global Audit Logs

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 13Show Document
  • View in full screen mode
  

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template. 

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

To view and verify the global audit logs if you are using a Log Decoder:

  1. Go to Investigate > Events.
  2. From within the Navigate view, select the Log Decoder, and click Navigate.
  3. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
  4. Double-click a log and in the Event Reconstruction dialog, select View Meta.
  5. Verify that the meta that you want to audit is correct. 

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|

rt=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} suser=%{identity} sourceServiceName=%{deviceService} deviceExternalId=%{deviceExternalId} dst=%{destinationAddress} dpt=%{destinationPort} dvcpid=%{deviceProcessId} deviceProcessName=%{deviceProcessName} outcome=%{outcome} msg=%{text}  

Example logs:

CEF:0|RSA|NetWitness Audit|11.1.0.0|AUTHENTICATION|logoff|6|rt=Mar 11 2018 08:58:34 src=10.31.125.48 spt=53392 suser=admin sourceServiceName=BROKER deviceExternalId=92284373-3cdf-4362-be5b-426f46410262 deviceProcessName=NwBroker outcome=success

CEF:0|RSA|NetWitness Audit|11.1.0.0|AUTHENTICATION|logoff|6|rt=Mar 11 2018 09:00:00 src=10.31.125.48 spt=52212 suser=admin sourceServiceName=CONCENTRATOR deviceExternalId=f17aa153-ac33-4775-ad20-84962d06ab9e deviceProcessName=NwConcentrator outcome=success

CEF:0|RSA|NetWitness Audit|11.1.0.0|AUTHENTICATION|logoff|6|rt=Mar 11 2018 08:58:34 src=10.31.125.48 spt=53392 suser=admin sourceServiceName=BROKER deviceExternalId=92284373-3cdf-4362-be5b-426f46410262 deviceProcessName=NwBroker outcome=success

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Verify Global Audit Logs

Attachments

    Outcomes