SA internal audit
Is there an internal mechanism of user actions audit in SA? As I see in reporting/SA server/other modules log, only debug log is available.
For example I cannot see that user Bob tested rule#1 or changed some reports or schedules or created some users, etc.
There was such audit in envision and customers demand the same functionality in SA, while I cannot see how can we achieve this.
Any ideas on this? Or there will be an additional auditing module for 100500$?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
That seems a little cheap for an audit module . But I ran into this same issue with internal audit. The response from RSA was, they realize they have failed to give a proper way to audit the Security Analytics system and will be looking at adding something in the future, they did reference 10.4 is likely but engineering is working on it.
In the meantime, if you don't mind insanely ugly logs that don't really report on anything but are better than nothing, look in '/var/lib/netwitness/uax/logs/audit'.
Sample of adding a user.
2014-06-19 14:32:15,290 INFORMATION:Added User:Local User Setup:Changed by seandko from null:Username=[test]:Full Name=test:Description=:Emailemail@example.com:Disabled=false:Expired=false:Locked=false:Roles=Warehouse Analyst
Thanks for a hint, this info looks like what I was looking for! Could forward it it with rsyslog/sftp agent to decoder, make a parser for it and it will be a candy.
But this file ('/var/lib/netwitness/uax/logs/audit') is empty on my SA server somehow. Did you turn on this auditing via GUI/REST?
Thanks - it works!
It's limited (for example it omits report modifications) but at least we have something.
Would be nice to get a full list of actions that are being audited with this feature...
Yes, it's there and it's mega ugly and doesn't have what I need (user's report management)
In fact it looks like the same log displayed in web gui for reporting engine.