2014-07-09 09:07 AM
Hi all,
Is there an internal mechanism of user actions audit in SA? As I see in reporting/SA server/other modules log, only debug log is available.
For example I cannot see that user Bob tested rule#1 or changed some reports or schedules or created some users, etc.
There was such audit in envision and customers demand the same functionality in SA, while I cannot see how can we achieve this.
BTW, I use this nice parcer but it only covers the system debug.
Any ideas on this? Or there will be an additional auditing module for 100500$?
2014-07-09 09:51 AM
That seems a little cheap for an audit module . But I ran into this same issue with internal audit. The response from RSA was, they realize they have failed to give a proper way to audit the Security Analytics system and will be looking at adding something in the future, they did reference 10.4 is likely but engineering is working on it.
In the meantime, if you don't mind insanely ugly logs that don't really report on anything but are better than nothing, look in '/var/lib/netwitness/uax/logs/audit'.
Sample of adding a user.
2014-06-19 14:32:15,290 INFORMATION:Added User:Local User Setup:Changed by seandko from null:Username=[test]:Full Name=test:Description=:Email=test@test.com:Disabled=false:Expired=false:Locked=false:Roles=Warehouse Analyst
2014-07-09 10:46 AM
Thanks for a hint, this info looks like what I was looking for! Could forward it it with rsyslog/sftp agent to decoder, make a parser for it and it will be a candy.
But this file ('/var/lib/netwitness/uax/logs/audit') is empty on my SA server somehow. Did you turn on this auditing via GUI/REST?
2014-07-09 11:03 AM
understand System - Auditing - File Auditing - Enable
2014-07-09 11:16 AM
Thanks - it works!
It's limited (for example it omits report modifications) but at least we have something.
Would be nice to get a full list of actions that are being audited with this feature...
2014-07-09 11:23 AM
Looks like the reporting engine might also have logs...but my folder is empty.
/var/lib/netwitness/re/logs
2014-07-09 07:24 PM
reporting engine logs is under /home/rsasoc/rsa/soc/reporting-engine/logs/
2014-07-09 07:24 PM
some action is not audited, i opened a support case before, so feature request...
2014-07-10 07:47 AM
Yes, it's there and it's mega ugly and doesn't have what I need (user's report management)
In fact it looks like the same log displayed in web gui for reporting engine.
2014-10-01 10:31 PM
This may be helpful
Security Analytics Parser v2.0.zip
It doesnt cover everything but more than v1.4.