Is there a way to look the audit log in SA ?
For example who is enabling the rule ,disabling etc .
In rsa envision ,all the activity will be stored under "NIC System"
Do we have similar option in SA?
Audit logs are always generated by Core services (Decoders, Concentrators, Brokers, etc). You can view them by going to the log window and searching for them. You can also retrieve them over the REST API of the respective service, for example:
This brings up a good point. Are you able to have the logs sent to the log collector for aggregation so one doesn't have to manually pull the logs?
Thanks for your response .
what is the meta or a keyword to view them in a log window under Investigation ->events ?
My response was geared towards viewing the audit logs for an individual service. All Core services have a logging API that allows a client to search and display the various types of logs that are generated, including audit logs.
By default, those logs are not sent to a Log Decoder. They are generated via syslog however and could be sent to a Log Decoder, but that process is beyond the scope of a forum answer. For 10.5, audit logs from all services are sent to a central repository for searching on the SA appliance. Consult your documentation on how to search those logs, but again, that's also not part of Investigation.
Thanks for the reply.
Retrieving data ...