NW Cfg: Verify Global Audit Logs

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Nov 20, 2019
Version 17Show Document
  • View in full screen mode
 

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template. 

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

To view and verify the global audit logs if you are using a Log Decoder:

  1. Go to Investigate > Events.
  2. From within the Navigate view, select the Log Decoder, and click Navigate.
  3. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
  4. Double-click a log and in the Event Reconstruction dialog, select View Meta.
  5. Verify that the meta that you want to audit is correct. 

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|

t=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} tpt=%{transport Protocol} scope=%{scope} suser=%{identity} sourceServiceName=%{device Service} deviceExternalId=%{deviceExternalId} deviceProcessName=%{device ProcessName} outcome=%{outcome} msg=%{text} remoteAddress=%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason} arguments= %{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role} id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} accountProvider= %{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission= %{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup} userRole= %{userRole} key=%{Key} value=%{Value} alert=%{alert} incident=%{incident} action=%{action} notificationBinding=%{NotificationBinding} name=%{name} enabled=%{enabled} disabled=%{disabled} params=%{parameters}  

Example logs:

Jun 07 2019 09:06:05 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|logoff|6|rt=Jun 07 2019 09:06:05 src=101.101.101.
101 spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR
deviceExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success \r\n

Jun 07 2019 09:06:11 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|login|6|rt=Jun 07 2019 09:06:11 src=101.101.101.101
spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR device
ExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success userGroup=Administrators userRole=admin.owner,
aggregate,concentrator.manage,connections.manage,database.manage,everyone,
index.manage,logs.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,
sdk.packets,services.manage,storedproc.execute,storedproc.manage,sys.manage,
users.manage \r\n

You are here
Table of Contents > Standard Procedures > Configure Global Audit Logging > Verify Global Audit Logs

Attachments

    Outcomes