This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

extract url integration and audit logs

Go to solution
AnasBdeir
Beginner
Beginner

‎2017-11-19 03:49 AM

hi, 

 

Internal Audit team in my organization need audit log and URL integration for all SA users, how can I extract these files and where is the location. 

 

 

appreciate your help

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-11-21 11:16 AM

Anas,

The only way I know to extract the URL integrations is to copy them down manually from the UI. I believe these are actually stored in the H2 database on the UI head. If they are in there it is not an easy thing and if you don't know what you are doing you can seriously break your installation (think UI doesn't come up). 

 

By looking over the documentation it appears that the URL Integration area represents the query bread crumbs which can be used for third party integration. In other words the queries found in this area should be represented elsewhere in the system. These other location should be the logs on the brokers and concentrators as you can see the user that ran the query and what the query was. It does not look like the URL Integration was designed to be an audit tool.

 

My suggestion would be to limit analysts to brokers within your environment and then collect the query information from these brokers. This would provide your auditors with the query information they are looking for.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-11-20 02:31 PM

Anas,

 

The audit log can be found on the UI server at /var/lib/netwitness/uax/logs/audit/audit.log. What are you referencing when you are talking about URL integration?

0 Likes

Go to solution
AnasBdeir
Beginner
Beginner
In response to JohnKisner

‎2017-11-21 12:53 AM

Hi John, 

 

Url integration: the investigation query for each analyst shown on  GUI under this path. 

 

System >> url integration   

 

regards

Anas Bdeir

0 Likes

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-11-21 11:16 AM

Anas,

The only way I know to extract the URL integrations is to copy them down manually from the UI. I believe these are actually stored in the H2 database on the UI head. If they are in there it is not an easy thing and if you don't know what you are doing you can seriously break your installation (think UI doesn't come up). 

 

By looking over the documentation it appears that the URL Integration area represents the query bread crumbs which can be used for third party integration. In other words the queries found in this area should be represented elsewhere in the system. These other location should be the logs on the brokers and concentrators as you can see the user that ran the query and what the query was. It does not look like the URL Integration was designed to be an audit tool.

 

My suggestion would be to limit analysts to brokers within your environment and then collect the query information from these brokers. This would provide your auditors with the query information they are looking for.

0 Likes

Go to solution
AnasBdeir
Beginner
Beginner
In response to JohnKisner

‎2017-11-22 04:11 AM

thanks john 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.