Define a Template for Global Audit Logging

This topic provides instructions on how to define an audit logging template to use for Global Audit Logging. Before you configure Global Audit Logging, configure a Syslog notification server and select an Audit Logging template. You can choose to use a default audit logging template or you can define your own template.

NetWitness includes two default audit logging templates:

  • Default Audit CEF Template: You can use this template for Log Decoders and third-party syslog servers.
  • Default Audit Human-Readable Format: You can use this template only for third-party syslog servers. Do not forward messages from this template to a Log Decoder.

The first procedure provides instructions on how to define an audit logging template for a Log Decoder. The audit logging template defines the format and message fields of the audit logs sent to the Log Decoder or third-party syslog server.

Global audit logging templates that you define for a Log Decoder use Common Event Format (CEF) and must meet the following specific standard requirements:

  • Include the CEF headers in the template.
  • Use only the extensions (Key=Value) listed in the Supported CEF Meta Keys table.
  • Ensure that the extensions are in the key=%{string}<space>key=%{string} format.

The second procedure provides instructions on how to define a custom global audit logging template in human-readable format for a third-party syslog server. For third-party syslog servers, you can define your own format (CEF or non-CEF).

Define a Global Audit Logging Template for a Log Decoder

You can use the Default Audit CEF Template to send global audit logs to a Log Decoder. To define your own template:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the options panel, select Global Notifications.
  3. Click the Templates tab.
  4. Click netwitness_add.png to configure a template.
  5. In the Define Template dialog, provide the following information:
    1. In the Name field, type the name for the template.
    2. In the Template Type field, select the Audit Logging template type.
    3. In the Description field, type a brief description for the template.
    4. In the Template field, enter the format for the audit logging template.
      The following format is a customized template provided as an example. It differs from the default CEF template.
      
      CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|
      %{operation}|%{severity}|
      rt=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} dpt=
      %{destinationPort} dst=%{destinationAddress} dvcpid=%{deviceProcessId}
      tpt=%{transportProtocol} sessionId=%{sessionId} scope=%{scope} suser=
      %{identity} sourceServiceName=%{deviceService} deviceExternalId=
      %{deviceExternalId} deviceProcessName=%{deviceProcessName} device
      Facility=%{deviceFacility} outcome=%{outcome} msg=%{text} remoteAddress
      =%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason}
      arguments=%{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role}
      id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} account
      Provider=%{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission
      =%{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup}
      userRole=%{userRole} key=%{key} value=%{value} paramKey=%{Key}
      paramValue=%{Value} alert=%{alert} incident=%{incident} action=%{action}
      notification Binding=%{NotificationBinding} name=%{name} enabled=
      %{enabled} disabled=%{disabled} params=%{parameters}
       
      The highlighted CEF syslog header is required to conform to the CEF standard and is a requirement for the CEF parser in the Log Decoder. The other keys are optional and you can configure them. See all the supported meta keys that are supported by the CEF parser in the Log Decoder in the Supported CEF Meta Keys table.

    Note: Use all of the extensions in the following format:
    deviceProcessName=%{deviceProcessName} outcome=%{outcome}
    Include a <space> between each key=%{string} pair in the extension keys section.

    Note: After you upgrade to 11.x from earlier versions, then '$' is replaced with '%' automatically

  6. Click Save.
    netwitness_galtmplexmpl_557x416.png

After you define the CEF audit logging template, ensure that you have deployed and enabled the latest Common Event Format (CEF) parser from Live. "Find and Deploy Live Resources" in the Live Services Management Guide provides instructions.

Note: If you need to use a specific meta key for Investigations and Reporting, ensure that the meta keys that you select are indexed in the table-map-custom.xml file on the Log Decoder. If they are not indexed, follow the instructions in the "Maintain the Table Map Files" topic in the Host and Services Configuration Guide procedure to update the table mappings. Ensure that the meta keys are also indexed in the index-concentrator-custom.xml on the Concentrator. See the "Edit a Service Index File" topic in the Host and Services Configuration Guide for additional information.

Define a Custom Global Audit Logging Template

For third-party syslog servers, you can define your own template format (CEF or non-CEF). You can use the Default Audit Human-Readable Format template to send global audit logs to a third-party syslog server in a format that is easier to read than the CEF format. If you want to define your own template in human-readable format, follow this procedure.

For Log Decoders, you must use a CEF template with some specific requirements. The Define an Audit Logging Template for a Log Decoder procedure above provides instructions for creating a template in CEF format.

To define a custom global audit logging template in human-readable format:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the left navigation panel, select Notifications.
  3. Click the Templates tab.
  4. Click netwitness_add.png to configure a template.
  5. In the Define Template dialog, provide the following information:
    1. In the Name field, type the name for the template.
    2. In the Template Type field, select the Audit Logging template type.
    3. In the Description field, type a brief description for the template.
    4. In the Template field, enter the format for the audit logging template. The following example is in human-readable format with selected meta key variables.
      %{timestamp} %{deviceService} [audit] Event Category: %{category} 
      Operation: %{operation} Outcome: %{outcome} Description: %{text} 
      User: %{identity} Role: %{userRole} Parameters: %{parameters}

      You can use any of the meta key variables that are supported by global audit logging shown in the Supported Global Audit Logging Meta Key Variables table.
  6. Click Save.
    netwitness_customgaltempl.png

The following example shows global audit logs in human-readable format for this template:

Jun 11 2019 04:53:54 UpdateStackConcentrator Jun 11 2019 04:53:54 CONCENTRATOR [audit] Event Category: DATA_ACCESS Operation: sdk.info Outcome: pending Description: has requested the SDK summary info User: admin Role: null params=flags\=1

Jun 11 2019 04:53:55 updatestackadminserver Jun 11 2019 04:53:55 source-server [audit] Event Category: API Operation: /rsa/process/ready Outcome: success Description: null User: NetWitness Web(nw-web) Role: null params={"Arguments":"[]"}

Jun 11 2019 05:15:46 UpdateStackeplh Jun 11 2019 05:15:46 LOG_DECODER [audit] Event Category: MANAGEMENT Operation: upload Outcome: pending Description: has started uploading file User: escalateduser Role: null params=file\=esmFeed.zip

Next Step

Define a Global Audit Logging Configuration provides instructions for defining a global audit logging configuration for NetWitness.