I cannot seem to find 'administrative activity' on any of my firewalls. Which table(s)/fields have this information? I do not manage the firewalls, but I've been told and have looked at the configuration of the firewalls. We are either pulling all logs from Checkpoint or receiving them from our PIX.
Scenario: Firewall admin named Joe decides to log on to a firewall and make a change to a rule. He then logs off. Of course Joe has permission as he has gone through the proper change management procedure.
What I'd like to pull out of enVision: I would like to see Joe's ID, the time he logged on, the rule he made the change to, the time he logged off. (Now I can compare his change and the time to the change management request Joe made).
I cannot find the firewall rule change information anywhere.