NW Cfg: Add New Configuration Dialog

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 14Show Document
  • View in full screen mode
  

In the RSA NetWitness® Platform Administration System view Global Audit Logging Configurations panel, you can create multiple global audit logging configurations. These configurations are used to forward global audit logs to a central location to perform user audits.

Procedures related to global audit logging are described in Configure Global Audit Logging.

To access the Add New Configuration dialog:

  1. Go to select ADMIN > System.
  2. In the options panel, select Global Auditing.
  3. In the Global Audit Logging Configurations panel, click .

    The Add New Configuration dialog is displayed.

    Add new Configuration dialog box

    The Notifications section enables you to select a syslog notification server for the global audit logging configuration and a template to use for the global audit logs. The template defines the details of the global audit log entries.

Features

The following table describes the features in the Add New Configuration and Edit Configuration dialogs.

                             
Feature Description
Notifications Servers and Templates view settings linkTakes you to the Global Notifications panel where you can view or configure the notification server and template settings. A syslog notification server and an audit logging template are required before you can create a global audit configuration.
Configuration NameSpecifies the unique name used to identify the global audit logging configuration. 
Notification ServerSpecifies the syslog notification server to send the selected audit log information. Configure a Destination to Receive Global Audit Logs provides instructions on how to create a Syslog Notification Server for global audit logging.
Notification TemplateSpecifies the template to use for the global audit logging configuration. The template should be an Audit Logging template.
For Log Decoders, use the Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions. 
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.
Reset Form buttonClears the configuration settings in the dialog.

User Actions Logged

The following table provides examples of some of the user actions logged from NetWitness Platform. These actions are the minimum user actions logged when applicable.

                                             
User Action Example
User login success A user logs on with valid credentials.
User login failureA user tries to log on using invalid credentials.
User logouts 

A user logs out from NetWitness Platform (Administration > Sign Out) or a user logs out due to a session timeout.

Max login failures exceeded

A user tries to log on using invalid credentials five times. Five (5) is the number of Max Login Failures defined in Administration Security view > Settings tab (Administration > Security > Settings tab).

All UI pages accessed

When a user accesses the Reporting module (Administration > Reports), it logs as [REP] Reports. When a user accesses the Administration System view (Administration > System), it logs as [ADM] System.

Committed configuration changes 

A user changes his or her password and or any security setting (Administration > Security > Settings tab).

Queries performed by the user

A user performs an investigation query.

User access deniedA user tries to access a module and does not have permissions to access it.
Data export operationsA user exports data from the Events view (Investigation > Events > Actions > Export).

 

The following table shows examples of internal audit logs logged from NetWitness Platform

                               
User Actions Audit Log Examples
User Logouts2019-02-11 11:14:12,777 deviceVersion: "11.3.0.0" deviceService: "SA_SERVER" category: AUTHENTICATION operation: "Logoff" outcome: "Success" identity: "admin" userRole: "Administrators"
All UI pages accessed2019-02-11 10:38:24,387 deviceVersion: "11.3.0.0" deviceService: "SA_SERVER" category: SYSTEM operation: "Page Accessed" outcome: "Success" key: "[UNF] Dashboard" identity: "admin" userRole: "Administrators"

Committed configuration changes

2019-02-11 10:42:07,632 deviceVersion: "11.3.0.0" deviceService: "SA_SERVER" category: CONFIGURATION operation: "create" outcome: "Success" key: "Predicate" value: "displayName=rsa_netwitness_audit query=device.type = \'rsa_netwitness_audit\'" identity: "admin" userRole: "Administrators"

Queries performed by the user2019-02-11 10:42:34,806 deviceVersion: "11.3.0.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "query" parameters: "NativeValuesMessage{ deviceId=17, isAppliancePath=false, timeout=null, collectionName=\'\', appliancePath=false, sdkPath=\'/sdk\', callbackChannel=\'/meta/values/17/1549881835702/ip.srcport;collectionName=\', returnValues=false, fieldName=\'ip.srcport\', fieldIdRange=FieldIdRange [ beginId=1, endId=275827280 ], threshold=100000, size=20, flags=2305, where=\'(device.type = \'rsa_netwitness_audit\') && time=\"2019-02-10 16:42:00\"-\"2019-02-11 10:37:59\"\', options=InvestigationOptions{options={date_range=null, total_by=SESSION_COUNT, order_by=TOTAL, time_range_type=ALL_DATA, sort_order=DESCENDING}, dateRange=null, orderBy=TOTAL, sortOrder=DESCENDING, timeRangeType=ALL_DATA, totalBy=SESSION_COUNT}, metaAliases={}, aggregateFunction=\'null\', aggregateFieldName=\'null\', min=null, max=null}" outcome: "Success" identity: "admin" userRole: "Administrators"

Data export operations

2019-02-11 11:20:30,188 deviceVersion: "11.3.0.0" deviceService: "SA_SERVER" category: DATA_ACCESS operation: "submitExtractPcap" parameters: "deviceId=6 collectionName= predicateHandle=c6cf sessionIds=[9285468, 9286362, 9628535, 9629308, 10013047, 10017581, 10428756, 10439924, 10819088, 10820894, 11164416] startDate=2019-02-11T08:20:00.000Z endDate=2019-02-11T11:19:59.000Z id1=1 id2=287399592" outcome: "Success" identity: "admin" userRole: "Administrators"

 

The following table shows examples of Global Audit Logs using the default Common Event Format (CEF) template. After you create a Global Audit Logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected Audit Logging template.

                               
User Actions CEF Examples
User LogoutsFeb 10 2019 17:03:35 adminserver.rsa.lab.emc.com CEF:0|RSA|NetWitness Audit|11.3.0.0|AUTHENTICATION|Logoff|null|6| rt=Feb 10 2019 17:03:35 suser=admin sourceServiceName=SA_SERVER deviceExternalId=1cd6184e-25c4-0bbc-fb09-54ee8dfd0e8b deviceProcessName=SA_SERVER outcome=Success sproc=SA_SERVER spriv=Administrators
All UI pages accessedFeb 10 2019 16:43:03 adminserver.rsa.lab.emc.com CEF:0|RSA|NetWitness Audit|11.3.0.0|SYSTEM|Page Accessed|[ADM] "packethybrid - Decoder" info|6| rt=Feb 10 2019 16:43:03 suser=admin sourceServiceName=SA_SERVER deviceExternalId=1cd6184e-25c4-0bbc-fb09-54ee8dfd0e8b deviceProcessName=SA_SERVER outcome=Success sproc=SA_SERVER spriv=Administrators

Committed configuration changes

Feb 10 2019 17:25:46 adminserver.rsa.lab.emc.com CEF:0|RSA|NetWitness Audit|11.3.0.0|CONFIGURATION|Modified|LicensingMiscConfiguration|6| rt=Feb 10 2019 17:25:46 suser=admin sourceServiceName=SA_SERVER deviceExternalId=1cd6184e-25c4-0bbc-fb09-54ee8dfd0e8b deviceProcessName=SA_SERVER sproc=SA_SERVER spriv=Administrators

Queries performed by the userFeb 10 2019 16:45:30 adminserver.rsa.lab.emc.com CEF:0|RSA|NetWitness Audit|11.3.0.0|DATA_ACCESS|query|null|6| rt=Feb 10 2019 16:45:30 suser=admin sourceServiceName=SA_SERVER deviceExternalId=1cd6184e-25c4-0bbc-fb09-54ee8dfd0e8b deviceProcessName=SA_SERVER outcome=Success sproc=SA_SERVER spriv=Administrators parameters=NativeValuesMessage{ deviceId\=6, isAppliancePath\=false, timeout\=null, collectionName\='', appliancePath\=false, sdkPath\='/sdk', callbackChannel\='/meta/values/6/1549817102473/dn;collectionName\=', returnValues\=false, fieldName\='dn', fieldIdRange\=FieldIdRange [ beginId\=1, endId\=5602 ], threshold\=100000, size\=20, flags\=2305, where\='time\="2019-02-09 16:45:00"-"2019-02-10 16:44:59"', options\=InvestigationOptions{options\={date_range\=null, total_by\=SESSION_COUNT, order_by\=TOTAL, time_range_type\=LAST_24_HOURS, sort_order\=DESCENDING}, dateRange\=null, orderBy\=TOTAL, sortOrder\=DESCENDING, timeRangeType\=LAST_24_HOURS, totalBy\=SESSION_COUNT}, metaAliases\={}, aggregateFunction\='null', aggregateFieldName\='null', min\=null, max\=null}

Data export operations

Feb 11 2019 11:20:30 adminserver.rsa.lab.emc.com CEF:0|RSA|NetWitness Audit|11.3.0.0|DATA_ACCESS|submitExtractPcap|null|6| rt=Feb 11 2019 11:20:30 suser=admin sourceServiceName=SA_SERVER deviceExternalId=1cd6184e-25c4-0bbc-fb09-54ee8dfd0e8b deviceProcessName=SA_SERVER outcome=Success sproc=SA_SERVER spriv=Administrators parameters=deviceId\=6 collectionName\= predicateHandle\=c6cf sessionIds\=[9285468, 9286362, 9628535, 9629308, 10013047, 10017581, 10428756, 10439924, 10819088, 10820894, 11164416] startDate\=2019-02-11T08:20:00.000Z endDate\=2019-02-11T11:19:59.000Z id1\=1 id2\=287399592

 

The following table shows examples of global audit logs using the default human-readable format template on a third-party syslog server.

                               
User Actions Human-Readable Format Output
User Logouts02-11-2019 23:38:18 User.Info 10.118.129.49 Feb 12 2019 07:36:41 adminserver.rsa.lab.emc.com Feb 12 2019 07:36:41 SA_SERVER [audit] Event Category: AUTHENTICATION Operation: Logoff Outcome: Success Description: null User: testuser Role: Administrators
All UI pages accessed02-11-2019 23:49:54 User.Info 10.118.129.49 Feb 12 2019 07:48:17 adminserver.rsa.lab.emc.com Feb 12 2019 07:48:17 SA_SERVER [audit] Event Category: SYSTEM Operation: Page Accessed Outcome: Success Description: null User: testuser Role: Administrators

Committed configuration changes

02-11-2019 23:55:26 User.Info 10.118.129.49 Feb 12 2019 07:53:49 adminserver.rsa.lab.emc.com Feb 12 2019 07:53:49 SA_SERVER [audit] Event Category: CONFIGURATION Operation: commit Outcome: null Description: LicensingMiscConfiguration changed by testuser User: testuser Role: Administrators

Queries performed by the user02-11-2019 23:56:07 User.Info 10.118.129.49 Feb 12 2019 07:56:19 loghybrid Feb 12 2019 07:56:19 CONCENTRATOR [audit] Event Category: DATA_ACCESS Operation: sdk.language Outcome: success Description: has finished language (channel 421836, queued 00:00:00, execute 00:00:00) User: admin Role: null

Data export operations

2-11-2019 23:57:24 User.Info 10.118.129.49 Feb 12 2019 07:55:47 adminserver.rsa.lab.emc.com Feb 12 2019 07:55:47 SA_SERVER [audit] Event Category: DATA_ACCESS Operation: submitExtractPcap Outcome: Success Description: null User: testuser Role: Administrators

For lists of message type being logged by the various NetWitness Platform components, see Global Audit Logging Operation Reference

You are here
Table of Contents > References > Global Audit Logging Configurations Panel > Add New Configuration Dialog

Attachments

    Outcomes