Configure Audit Logging in the Cloud Administration Console

Audit logging enables system administrators to track user and system events in identity routers deployment-wide. SecurID recommends that you configure audit logging so that the identity router sends user events, system events, or both event types, to a syslog server using the standard syslog protocol.

Note: You can bundle together a collection of identity router logs (including the audit log) to download as a single file. The log bundle contains more detailed information with debug-level logging turned on than it does for standard-level logging. See Contents of Identity Router Log Bundle and Identity Router Logging.

Before you begin

  • You must be a Super Admin in the Cloud Administration Console.
  • If you plan to send audit log files to a syslog server, first configure the server.

Procedure

  1. In the Cloud Administration Console, click Platform > Audit Logging.
  2. To enable audit logging, click Enabled.
  3. From the Output Type drop-down list, choose where you want to send the audit logs:
    • Store on identity router (default) – Send audit logs only to a local file on each identity router. If you select this option, skip to step 5.
    • Send to syslog (recommended) – Send consolidated audit logs from all identity routers to a syslog server where you can view them directly. If you select this option, complete the next step (4).
  4. Configure syslog settings as follows:
    1. From the Routing Interface drop-down list, select the identity router network interface through which the logs will travel:
      • Public – The portal interface that the identity router uses to communicate with users, web applications, and the Cloud Authentication Service, and to host the application portal.
      • Private – The management interface that the identity router uses to communicate with DNS servers, identity sources, authentication sources, and RADIUS clients.

      Note: This setting does not apply for identity routers in the Amazon cloud. Configure route tables in your Amazon Web Services environment to direct traffic between the identity router and syslog server through the appropriate gateway in your VPC.

    2. In the Server field, enter the hostname or IP address for the syslog server.
    3. In the Port field, enter the listening port number on the syslog server. The default is UDP 514 (for UDP protocol).
    4. From the Protocol drop-down list, select the network protocol the syslog server uses to receive data. Choose UDP (the default), TCP, or TCP over SSL.
    5. (Optional) From the Security Method drop-down list, select a security method to protect the logs from tampering. If you select an HMAC method, enter the password in the HMAC Password field.
  5. Select Log user events to log user events, such as attempts to sign in and authenticate, and changes to the user profile (keychain credentials). Select Include authorization requests to include authorization requests to access policies that allow or deny access to applications.
  6. Select Log system events to log successful system events, such as system backup, firewall rule changes, and identity router errors. System events include web services. Select Include system error events to include system error events in the audit log.
  7. Note: The identity router does not generate system error events for RADIUS.

  8. Click Save.
  9. (Optional) To publish this configuration and immediately activate it on the identity router, click Publish Changes.