View Audit Logs and Verify ESA Component Versions

This topic provides details about audit logging and instructions to verify the versions of the ESA components installed. These procedures apply to ESA Correlation Rules.

View Audit Logs for Rules

Audit logging allows you to view details about rules that are created and changed in NetWitness. There are local audit logs in each of the services in NetWitness. When Global Audit Logging is configured, NetWitness audit logs collect in a centralized system that converts them into the required format and forwards them to an external syslog system.

For details on how to access your local audit logs, see "Local Audit Log Locations" in the System Configuration Guide. To set up Global Audit Logging, see "Configure Global Audit Logging" in the System Configuration Guide.

The following Syslog global audit log examples show create, update, remove rule, and delete deployment actions for the ESA Correlation service (correlation-server).

Create Action

09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={EngineSettings=}}09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={EngineSettings=}}09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/module/settings/set, success=true, identity=admin, parameters={Arguments=[ModuleSettings(id=null, name=a-d-v:multiple_failed-login_successful-login-rule-module, displayName=ADV: Multiple_FailedLogin_SuccessfulLogin, enabled=true, eplStatements=[module GHmoduleId15;@Name('GHmoduleName15') @Description('GHmoduleDesc15') @RSAAlert(oneInSeconds=0, identifiers=

{"user_dst"}

) SELECT * FROM Event(ec_outcome in ('Success', 'Failure') AND ec_activity='Logon').win:time(5 min) match_recognize (measures F as f_array, S as s pattern (F F F F F+ S+) define F as F.ec_outcome= 'Failure', S as S.ec_outcome= 'Success');], queries=[], maxConstituentEvents=null, logFiredRules=null, trial=false, alert=ModuleSettings.Alert(respondEnabled=true, severity=9, notificationReasons=[], uniqueIdentifiers=[], rateLimit=RateL...09-17-2018 08:59:50 System3.Info 10.0.0.0 Sep 17 15:59:54 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=create, success=true, identity=admin, parameters={ModuleSettings=}}

Update Action

09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=update, success=true, identity=admin, parameters={EngineSettings=5b9fce315068213b17760553}}09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=update, success=true, identity=admin, parameters={EngineSettings=5b9fce315068213b17760553}}09-17-2018 08:54:21 System3.Info 10.0.0.0 Sep 17 15:54:25 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/set, success=true, identity=admin, parameters={Arguments=[EngineSettings(id=null, name=endpoint-sa-managed, displayName=endpoint, description=endpoint, enabled=true, eventType=Event, instanceId=1abc9465-d0d4-48a9-9205-414066fabc2f, streamId=5b9fce314a5b1f5951babc29, moduleIds=[5b9fce314a5b1f5951babc2a, 5b9fce314a5b1f5951babc2b], enableStatementMetric=null)]}}

Remove Rule Action

09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/stream/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcf7a4a5b1f5951babc2c]}}09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/stream/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcf7a4a5b1f5951babc2c]}}09-17-2018 09:01:11 System3.Info 10.0.0.0 Sep 17 16:01:15 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=remove, success=true, identity=admin, parameters={StreamSettings=5b9fcf7a4a5b1f5951babc2c}}

Delete Deployment Action

09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcfcb4a5b1f5951babc2f]}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/settings/remove, success=true, identity=admin, parameters={Arguments=[5b9fcfcb4a5b1f5951babc2f]}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} DataAccess{action=remove, success=true, identity=admin, parameters={EngineSettings=5b9fcfcb4a5b1f5951babc2f}}09-17-2018 09:02:45 System3.Info 10.0.0.0 Sep 17 16:02:50 esaprimary {deviceVendor=RSA, deviceVersion=11.3.0.0, deviceService=correlation-server, deviceServiceId=1abc9465-d0d4-48a9-9205-414066fabc2f, deviceProduct=NetWitness} API{action=/rsa/correlation/engine/stop, success=true, identity=admin, parameters={Arguments=[madhavi-sa-managed]}}

Each log contains the following parameters:

  • Time stamp: Time the rule was modified. Example: 09-17-2018 08:54:21

  • System Info: Information about the system where the action was performed, such as IP address. Example: 10.0.0.0

  • deviceVersion: Version of your ESA service. Example: 11.3.0.0

  • deviceService: Example: correlation-server

  • action: Examples: create, update, remove

  • Parameters: Placeholder for the following keys:

    • Epl Module Identifier (moduleIds): unique identifier for the rules. Example: 5b9fce314a5b1f5951babc2a, 5b9fce314a5b1f5951babc2b

    • enabled: Shows if the rule is enabled or not. Example: enabled=true

    • respondEnabled: Shows if alerts from this rule can go to the Respond view. Example: respondEnabled=true

    • trial: Displays if the rule is configured as a trial rule or not. Example: trial=false

    • EplStatements: Displays the rule syntax. Example:

      eplStatements=[module GHmoduleId15;@Name('GHmoduleName15') @Description('GHmoduleDesc15') @RSAAlert(oneInSeconds=0, identifiers=

      {"user_dst"}

      ) SELECT * FROM Event(ec_outcome in ('Success', 'Failure') AND ec_activity='Logon').win:time(5 min) match_recognize (measures F as f_array, S as s pattern (F F F F F+ S+) define F as F.ec_outcome= 'Failure', S as S.ec_outcome= 'Success');]

    • identity: Example: admin

ESA Audit Logs on NW Server (11.5 and Later)

In NetWitness Platform 11.5 and later, in addition to the audit logs available on ESA Correlation-server, new audit logs on the NW Server (SA_SERVER) show when users add, modify, filter, delete, export, and import ESA rules in the Rule Library. The NW Server audit logs also show when users add, modify, and deploy ESA rule deployments. Modifications to an ESA rule deployment include adding, deleting, or updating a rule in a deployment as well as adding a data source or an ESA Correlation service to a deployment.

Verify ESA Correlation Version

  1. Use ssh to connect to the ESA Correlation service and log in as the root user.
  2. Type the following command and press ENTER:
    rpm -qa | grep rsa-nw-correlation-server
    The ESA Correlation server version is displayed.