NW Cfg: Local Audit Log Locations

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 11Show Document
  • View in full screen mode
  

NetWitness Suite has global audit logging capabilities. When you configure global audit logging, audit logs from all NetWitness Suite components collect in a centralized system, which converts them into the required format and forwards them to a third-party syslog server or a Log Decoder. 

To view audit logs from the individual services, you can look at the local audit log locations.The following table shows the local directory paths of the audit logs for the NetWitness Suite user interface and the various NetWitness Suite services.

                         
Service/ModuleAudit Log Location
NetWitness Suite User Interface
(NetWitness Suite Web Server)
The NetWitness Suite user interface sends audit logs to the following locations:
  • /var/lib/netwitness/uax/logs/audit/audit.log (human-readable format)
  • Syslog running on the local host (JSON format)
The NetWitness Suite user interface uses the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (/var/lib/netwitness/uax/logs/audit/audit.log).
Core Services (Decoder, Log Decoder, Concentrator, Broker, and Archiver), Log Collector,
Warehouse Connector, and Workbench
The Core services and similar services send audit logs to Syslog running on the local host. 
Path: /var/log/secure (JSON format)
The Core services use the AUTHPRIV facility of syslog to write audit logs to syslog.
Reporting Engine,
Malware Analysis,
Respond, and
Event Stream Analysis (ESA)
These services send audit logs to the following locations:
  • <application-home-directory>/logs/audit/audit.log (human-readable format)
  • Syslog running on the local host (JSON format)

The following are the audit log locations of these services:
Reporting Engine
/var/netwitness/re-server/rsa/soc/reporting-engine/logs/audit/audit.log
Respond Server:

/var/log/netwitness/respond-server/respond-server.audit.log
Malware Analysis:

/var/lib/netwitness/malware-analytics-server/spectrum/logs/audit/audit.log
Event Stream Analysis:
/opt/rsa/esa/logs/audit/audit.log
These services use the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (<application-home-directory>/logs/audit/audit.log).

Health & Wellness, Event Source Management (ESM), and Appliance and Service Grouping (ASG)These Services send audit logs to the following locations:
  • /opt/rsa/sms/logs/audit/audit.log (human-readable format)
  • Syslog running on the local host (JSON format)
These services use the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (/opt/rsa/sms/logs/audit/audit.log).
You are here
Table of Contents > References > Global Audit Logging Configurations Panel > Local Audit Log Locations

Attachments

    Outcomes