Configure Centralized Audit Logging
NetWitness Platform collects audit logs from all the NetWitness services and aggregates it into a single file in a centralized location on the NetWitness Admin Server. This aggregated log file provides the advantage for faster access and easy analysis of the audit logs.
The aggregated logs from all services are sent to the following centralized location:
- /var/netwitness/logstash/logs/rsa-netwitness-audit.log (JSON format)
- Syslog running on the local host (human-readable format)
Centralized audit logging is enabled by default. To forward the aggregated logs to the external syslog system (a third-party Syslog server or Log Decoder), you must configure the Global Audit logging in (Admin) > System > Global Auditing. The aggregated logs are sent in the format specified in the selected Audit Logging template. A Syslog Notification Server configuration defines the destination to send the audit logs. To forward the audit logs to a Log Decoder, configure a Syslog type of Notification Server for the Log Decoder.
- For instructions on how to define a template, see Define a Template for Global Audit Logging
- For instructions on how to configure a syslog notification server, see Configure a Destination to Receive Global Audit Logs
- For instructions on how to configure global Audit logging, see Define a Global Audit Logging Configuration
Filtering the Aggregated Logs
Before the logs are aggregated, standard filters are applied to the logs to reduce redundancy and filter out logs that are not useful. The filters contain entries that control the content written to the aggregated log file. The following default filters are available in /etc/logstash/ location.
- json-filter-action.yaml
- json-filter-category.yaml
json-filter-action.yaml - This filter blacklists the log messages based on the operation meta key and stops the log message being written to aggregated log file. For example, if "/rsa/process/ready":"true" is entered in json-filter-action.yaml, any raw log that contains "/rsa/process/ready" in the operation meta key is blacklisted and not written to aggregated log file.
Note: If you do not want to apply filters, then delete all the default entries and replace with {} character. Note that this increases the log size and the logs may be redundant.
json-filter-category.yaml - This filter whitelists the log messages based on the category meta key and writes the log message to the aggregated log file. For example, if '\b(?i)SECURITY\b':"true" is entered in json-filter-category.yaml, any raw log that contains 'SECURITY' in the category meta key is whitelisted and written to the aggregated log file.
Log Retention Policy
The aggregated log file is retained as per the following default settings:
- If the file size reaches 250 MB, the file is compressed as a single zip file.
- If the number of zip files exceed 90, the oldest zip file in the directory is automatically deleted.
You can modify the log retention policy in the file logstash available in /etc/logrotate.d/ location.
Note: The size of the aggregated log file depends on the filters applied, so make sure to set up filters correctly for optimal directory space.
Disable Centralized Audit Logging
If you do not want the logs to be aggregated, in the json-filter-category.yaml filter, delete all the default entries and replace with the {} character.