Verify Global Audit Logs

This topic provides instructions on how to verify global audit logs. After you have configured global audit logging, you need to test your global audit logs to ensure that they show the audit events as defined in your global audit logging template.

In version 11.5 and later, audit logging provides information about the aggregation account and the actual user who submitted the query. For example, the information is displayed as follows in the audit log:

User aggAccount (session 478, [::1]:1133, on behalf of <username of submitter>) has requested the SDK transforms.

This information is available through multiple levels of Brokers and Concentrators.

Note: If you are running a mixed-version environment, any version earlier than 11.5 will not provide the real user information.

Before starting this task, complete the steps detailed in Configure Global Audit Logging.

To view and verify the global audit logs if you are using a Log Decoder:

    1. Go to Investigate > Events, select the Log Decoder service and click the submit query icon (netwitness_eaqryicblu.png) to the right of the query bar.

      122_Events_view1_1122.png

    2. Compare the fields in the global audit logs with the fields defined in the global audit logging template that you used in your global audit logging configuration.
    3. Double-click a log to open the reconstruction and click netwitness_ic-metadata114.png to open the Event Meta panel.
    4. Verify that the meta that you want to audit is correct.

122_events_raw_log_1122.png

Example CEF Output

The following example shows global audit logs for an audit logging Common Event Format (CEF) template.

Template:

CEF:0|%{deviceVendor}|%{deviceProduct}|%{deviceVersion}|%{category}|%{operation}|%{severity}|

rt=%{timestamp} src=%{sourceAddress} spt=%{sourcePort} tpt=%{transport Protocol} scope=%{scope} suser=%{identity} sourceServiceName=%{device Service} deviceExternalId=%{deviceExternalId} deviceProcessName=%{device ProcessName} outcome=%{outcome} msg=%{text} remoteAddress=%{remoteAddress} reasonForFailure=%{reasonForFailure} reason=%{reason} arguments= %{Arguments} user=%{User} referrerURL=%{referrer} role=%{Role} id=%{id} account=%{Account} deviceIDs=%{deviceIDs} file=%{file} accountProvider= %{AccountProvider} uri=%{uri} addRole=%{Add.Role} addPermission= %{Add.Permission} userAgent=%{userAgent} userGroup=%{userGroup} userRole= %{userRole} key=%{Key} value=%{Value} alert=%{alert} incident=%{incident} action=%{action} notificationBinding=%{NotificationBinding} name=%{name} enabled=%{enabled} disabled=%{disabled} params=%{parameters}

Example logs:

Jun 07 2019 09:06:05 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|logoff|6|rt=Jun 07 2019 09:06:05 src=101.101.101.
101 spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR
deviceExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success \r\n

Jun 07 2019 09:06:11 UpdateStackConcentrator CEF:0|RSA|NetWitness Audit|
11.3.1.0|AUTHENTICATION|login|6|rt=Jun 07 2019 09:06:11 src=101.101.101.101
spt=55060 scope=scope suser=admin sourceServiceName=CONCENTRATOR device
ExternalId=3ebf91d9-e879-4727-a473-72d309e1741d deviceProcessName=
NwConcentrator outcome=success userGroup=Administrators userRole=admin.owner,
aggregate,concentrator.manage,connections.manage,database.manage,everyone,
index.manage,logs.manage,rules.manage,sdk.content,sdk.manage,sdk.meta,
sdk.packets,services.manage,storedproc.execute,storedproc.manage,sys.manage,
users.manage \r\n