Managing Audit Records
License:
Any
Defense Centers and managed devices log read-only auditing information for user activity. Audit logs are presented in a standard event view that allows you to view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and can view detailed reports of the changes that users make.
The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.
Note If you reboot a Series 3 appliance, then log into the CLI as soon as you are able, any commands you execute are not recorded in the audit log until the web interface is available.
For more information, see the following sections:
Viewing Audit Records
License:
Any
You can use the appliance to view a table of audit records. Then, you can manipulate the view depending on the information you are looking for. The predefined audit workflow includes a single table view of events. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows.
The following table describes some of the specific actions you can perform on an audit log workflow page.
Table 69-1 Audit Log Actions
|
|
learn more about the contents of the columns in the table
|
find more information in Understanding the Audit Log Table.
|
modify the time range used when viewing audit records
|
find more information at Setting Event Time Constraints.
Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.
|
sort and constrain events on the current workflow page
|
find more information in Sorting Table View Pages and Changing Their Layout.
|
navigate within the current workflow page
|
find more information in Navigating to Other Pages in the Workflow.
|
navigate between pages in the current workflow, keeping the current constraints
|
click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages.
|
drill down to the next page in the workflow
|
use one of the following methods:
-
To drill down to the next workflow page constraining on a specific value, click
a value within a row. Note that this only works on drill-down pages. Clicking a value within a row in a table view constrains the table view and does
not
drill down to the next page.
-
To drill down to the next workflow page constraining on some events, select the check boxes next to the events you want to view on the next workflow page, then click
View
.
-
To drill down to the next workflow page keeping the current constraints, click
View All
.
Tip Table views always include “Table View” in the page name.
For more information, see Constraining Events.
|
constraining on a specific value
|
Click
a value within a row.
If you click a value on a drill-down page, you move to the next page and constrain on the value.
Note that clicking a value within a row in a table view constrains the table view and does
not
drill down to the next page.
Tip Table views always include “Table View“ in the page name.
For more information, see Constraining Events.
|
delete audit records
|
use one of the following methods:
-
To delete some items, select the check boxes next to events you want to delete, then click
Delete
.
-
To delete all items in the current constrained view, click
Delete All
, then confirm you want to delete all the events.
|
temporarily use a different workflow
|
click
(switch workflow)
. For more information, see Selecting Workflows.
|
bookmark the current page so you can quickly return to it
|
click
Bookmark This Page
. For more information, see Using Bookmarks.
|
navigate to the bookmark management page
|
click
View Bookmarks
. For more information, see Using Bookmarks.
|
generate a report based on the data in the current view
|
click
Report Designer
. For more information, see Creating a Report Template from an Event View.
|
view a summary of a change recorded in the audit log
|
click the compare icon (
) next to applicable events in the
Message
column. For more information, see Using the Audit Log to Examine Changes.
|
To view audit records:
Access:
Admin
Step 1 Select
System > Monitoring > Audit
.
The first (and only) page of the default audit log workflow appears. To use a different workflow, including a custom workflow, click
(switch workflow)
. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range. For more information, see Setting Event Time Constraints.
Tip If you are using a custom workflow that does not include the table view of audit events, click (switch workflow), then select Audit Log.
Working with Audit Events
License:
Any
You can change the layout of the event view or constrain the events in the view by a field value. When disabling columns, after you click the close icon (
) in the column heading that you want to hide, in the pop-up window that appears, click
Apply
. When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added.
To hide or show other columns, or to add a disabled column back to the view, select or clear the appropriate check boxes before you click
Apply
.
Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.
Tip Table views always include “Table View” in the page name.
For more information, see the following topics:
Suppressing Audit Records
License:
Any
If your auditing policy does not require that you audit specific types of user interactions with the FireSIGHT System, you can prevent those interactions from generating audit records. For example, by default, each time a user views the online help, the FireSIGHT System generates an audit record. If you do not need to keep a record of these interactions, you can automatically suppress them.
To configure audit event suppression, you must have access to an appliance’s
admin
user account, and you must be able to either access the appliance’s console or open a secure shell.
Caution Make sure that only authorized personnel have access to the appliance and to its
admin
account.
To suppress audit records, you must create one or more files in the
/etc/sf
directory in the following form:
where
type
is
address
,
message
,
subsystem
, or
user
.
Note If you create an AuditBlock.
type file for a specific type of audit message, but later decide that you no longer want to suppress them, you must delete the contents of the AuditBlock.
type file but leave the file itself on the FireSIGHT System.
The contents for each audit block type must be in a specific format, as described in the following table. Make sure you use the correct capitalization for the file names. Note also that the contents of the files are case sensitive.
Table 69-2 Audit Block Types
|
|
Address
|
Create a file named
AuditBlock.address
and include, one per line, each IP address that you want to suppress from the audit log. You can use partial IP addresses provided that they map from the beginning of the address. For example, the partial address
10.1.1
matches addresses from
10.1.1.0
through
10.1.1.255
.
|
Message
|
Create a file named
AuditBlock.message
and include, one per line, the message substrings that you want to suppress.
Note that substrings are matched so that if you include
backup
in your file, all messages that include the word
backup
are suppressed.
|
Subsystem
|
Create a file named
AuditBlock.subsystem
and include, one per line, each subsystem that you want to suppress.
Note that substrings are
not
matched. You must use exact strings. See the
Subsystem Names
table for a list of subsystems that are audited.
|
User
|
Create a file named
AuditBlock.user
and include, one per line, each user account that you want to suppress. You can use partial string matching provided that they map from the beginning of the username. For example, the partial username
IPSAnalyst
matches the user names
IPSAnalyst1
and
IPSAnalyst2
.
|
Note that when you add an
AuditBlock
file, an audit record with a subsystem of
Audit
and a message of
Audit Filter
type
Changed
is added to the audit events. For security reasons, this audit record
cannot
be suppressed.
The following table lists audited subsystems.
Table 69-3 Subsystem Names
|
Includes user interactions with...
|
Admin
|
Administrative features such as system and access configuration, time synchronization, backup and restore, device management, user account management, and scheduling
|
Alerting
|
Alerting functions such as email, SNMP, and syslog alerting
|
Audit Log
|
Audit event views
|
Audit Log Search
|
Audit event searches
|
Command Line
|
Command line interface
|
Configuration
|
Email alerting
|
COOP
|
Continuity of operations feature
|
Date
|
Date and time range for event views
|
Default Subsystem
|
Options that do not have assigned subsystems
|
Detection & Prevention Policy
|
Menu options for intrusion policies
|
Error
|
System-level errors
|
eStreamer
|
eStreamer configuration
|
EULA
|
Reviewing the end user license agreement
|
Events
|
Intrusion and discovery event views
|
Events Clipboard
|
Intrusion event clipboard
|
Events Reviewed
|
Reviewed intrusion events
|
Events Search
|
Any event search
|
Failed to install rule update
rule_update_id
|
Installing rule updates
|
Header
|
Initial presentation of the user interface after a user logs in
|
Health
|
Health monitoring
|
Health Events
|
Health monitoring event views
|
Help
|
Online help
|
High Availability
|
High availability feature
|
IDS Impact Flag
|
Impact flag configuration
|
IDS Policy
|
Intrusion policies
|
IDSPolicy >
policy_name
> Appliance >
det_engine_name
|
Applying intrusion policies
|
IDSRule sid:
sig_id
rev:
rev_num
|
Intrusion rules by SID
|
Incidents
|
Intrusion incidents
|
Insert Policy Apply Job
|
Applying policies
|
Install
|
Installing updates
|
Intrusion Events
|
Intrusion events
|
Login
|
Web interface login and logout functions
|
Menu
|
Any menu option
|
Configuration export >
config_type
>
config_name
|
Importing configurations of a specific type and name
|
Permission Escalation
|
User role escalation
|
Preferences
|
User preferences, such as the time zone for a user account and individual event preferences
|
Policy
|
Any policy, including intrusion policies
|
Register
|
Registering devices on a Defense Center
|
RemoteStorageDevice
|
Configuring remote storage devices
|
Reports
|
Report listing and report designer features
|
Rules
|
Intrusion rules, including the rule editor and the rule importation process
|
Rule Update Import Log
|
Viewing the rule update import log
|
Rule Update Install
|
Installing rule updates
|
Status
|
Syslog, as well as host and performance statistics
|
System
|
Various system-wide settings
|
System Policy >
policy_name
Appliance >
appliance_name
|
Applying system policies
|
Task Queue
|
Viewing the task queue
|
Users
|
Creating and modifying user accounts and roles
|
Understanding the Audit Log Table
License:
Any
Each appliance generates an audit event for each user interaction with the web interface. Each event includes a time stamp, the user name of the user whose action generated the event, a source IP, and text describing the event. The fields in the audit log table are described in the following table.
Table 69-4 Audit Log Fields
|
|
Time
|
Time and date that the appliance generated the audit record.
|
User
|
User name of the user that triggered the audit event.
|
Subsystem
|
Menu path the user followed to generate the audit record. For example,
System > Monitoring > Audit
is the menu path to view the audit log.
In a few cases where a menu path is not relevant, the Subsystem field displays only the event type. For example,
Login
classifies user login attempts.
|
Message
|
Action the user performed.
For example,
Page View
signifies that the user simply viewed the page indicated in the Subsystem, while
Save
means that the user clicked the
Save
button on the page.
Changes made to the FireSIGHT System appear with a compare icon (
) that you can click to see a summary of the changes. For more information, see Using the Audit Log to Examine Changes.
|
Source IP
|
IP address associated with the host used by the user.
|
Count
|
The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows.
|
Using the Audit Log to Examine Changes
License:
Any
You can use the audit log to view detailed reports of changes to your system. These reports compare the current configuration of your system to its most recent configuration before a particular change.
A compare icon (
) appears next to audit log events that reflect changes to the system. You can click the compare icon to access the Compare Configurations page and view a detailed report of a change.
The Compare Configurations page displays the differences between the system configuration before changes and the running configuration in a side-by-side format. The audit event type, time of last modification, and name of the user who made the change are displayed in the title bar above each configuration.
Differences between the two configurations are highlighted:
-
Blue indicates that the highlighted setting is different in the two configurations, and the difference is noted in red text.
-
Green indicates that the highlighted setting appears in one configuration but not the other.
To examine a change in the audit log:
Access:
Admin
Step 1 Select
System > Monitoring > Audit
.
The first page of the default audit log workflow appears.
If you are using a custom workflow that does not include the table view of audit events, click
(switch workflow)
, then select
Audit Log
.
Step 2 Click the compare icon (
) next to an applicable audit log event in the
Message
column.
The Compare Configurations page appears. Note that you can navigate through changes individually by clicking
Previous
or
Next
above the title bar. If the change summary is more than one page long, you can also use the scroll bar on the right to view additional changes.
Searching Audit Records
License:
Any
You can search audit records to find information specific to a user, a specific subsystem, or an audit record message.
You may want to create searches customized for your network environment, then save them to reuse later. The search criteria you can use are described in the following table. Note that audit searches are not case sensitive. For example, searching for
Analyst01
or
analyst01
yields the same results.
Table 69-5 Audit Record Search Criteria
|
|
|
User
|
Enter the user name of the user who triggered the audit events you want to see. You can use an asterisk (
*
) as a wildcard character in this field.
|
jsmith
returns all audit records involving the user jsmith.
|
Subsystem
|
Enter the full menu path a user would follow to generate the audit records you want to see. You can use an asterisk (
*
) as a wildcard character in this field.
|
System > Monitoring > Audit
and
*Audit
both return audit records that involve using the audit log.
*Audit*
returns all of the above records, plus records that involve searching for audit records.
|
Message
|
The action the user performed or the button the user clicked on the page. You can use an asterisk (
*
) as a wildcard character in this field.
|
Apply
returns audit records where the user applied an intrusion policy.
Save Rule
returns audit records where the user saved a correlation rule.
Page View
returns audit records where the user viewed the page.
|
Time
|
Specify the date and time the audit record was generated. See Specifying Time Constraints in Searches for the syntax for entering time.
|
> 2006-01-15 13:30:00
returns all audit records generated after January 15, 2006 at 1:30 PM.
|
Source IP
|
Enter the IP address of the host that you want to view audit records for.
Note You must type a specific IP address. You cannot use IP ranges when searching audit logs.
|
172.16.1.37
returns all audit records generated by a user from the 172.16.1.37 IP address.
|
Configuration Change
|
Specify whether or not you want to view audit records of configuration changes.
|
yes
returns audit records of configuration changes.
|
For more information on searching, including how to load and delete saved searches, see Searching for Events.
To search for audit records:
Access:
Admin
Step 1 Select
Analysis > Search
.
The Search page appears.
Step 2 Select
Audit Log Events
from the table drop-down list.
The Audit Log search page appears.
Tip To search the database for a different kind of event, select it from the table drop-down list.
Step 3 Enter your search criteria in the appropriate fields, as described in the
Audit Record Search Criteria
table.
If you enter criteria for multiple fields, the search returns only the records that match search criteria specified for all fields.
Step 4 Optionally, if you plan to save the search, you can select the
Private
check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 5 Optionally, you can save the search to be used again in the future. You have the following options:
-
Click
Save
to save the search criteria.
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
-
Click
Save As New
to save a new search or assign a name to a search you created by altering a previously-saved search.
A dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
Step 6 Click
Search
to start the search.
Your search results appear in the default audit log workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click
(switch workflow)
. For information on specifying a different default workflow, see Configuring Event View Settings.
Viewing the System Log
License:
Any
The System Log (syslog) page provides you with system log information for the appliance. The system log displays each message generated by the system. The following items are listed in order:
-
the date that the message was generated
-
the time that the message was generated
-
the host that generated the message
-
the message itself
Note System log information is local. For example, you cannot use the Defense Center to view system status messages in the system logs on your managed devices.
You can view system log messages for specific components by using the filter feature. For more information, see Filtering System Log Messages.
To view the syslog:
Access:
Admin/Maint
Step 1 Select
System > Monitoring > Syslog
.
The System Log page appears.
Tip On the 3D9900, the Load Balancing Interface Module (LBIM) forwards messages to the device's syslog. You can find these messages by filtering on lbim
.
Filtering System Log Messages
License:
Any
You can view system log messages for specific components by using the filter feature. Filtering allows you to search for specific messages based on content.
The filter functionality uses the UNIX file search utility Grep, and as such, you can use most syntax accepted by Grep. This includes using Grep-compatible regular expressions for pattern matching. You can use a single word as a filter, or you can use Grep-supported regular expressions to search for content.
The following table shows the regular expression syntax you can use in System Log filters:
Table 69-6 System Log Filter Syntax
|
|
|
.
|
Matches any character or white space
|
Admi.
matches
Admin
,
AdmiN
,
Admi1
, and
Admi&
|
[[:alpha:]]
|
Matches any alphabetic character
|
[[:alpha:]]dmin
matches
Admin
,
bdmin
, and
Cdmin
|
[[:upper:]]
|
Matches any uppercase alphabetic character
|
[[:upper:]]dmin
matches
Admin
,
Bdmin
, and
Cdmin
|
[[:lower:]]
|
Matches any lowercase alphabetic character
|
[[:lower:]]dmin
matches
admin
,
bdmin
, and
cdmin
|
[[:digit:]]
|
Matches any numeric character
|
[[:digit:]]dmin
matches
0dmin
,
1dmin
, and
2dmin
|
[[:alnum:]]
|
Matches any alphanumeric character
|
[[:alnum:]]dmin
matches
1dmin
,
admin
,
2dmin
, and
bdmin
|
[[:space:]]
|
Matches any white space, including tabs
|
Feb[[:space:]]29
matches logs from February 29th.
|
*
|
Matches zero or more instances of the character or expression it follows
|
ab*
matches
a
,
ab
,
abb
,
ca
,
cab
, and
cabb
[ab]*
matches anything
|
?
|
Matches zero or one instances
|
ab?
matches
a
or
ab
.
|
\
|
Allows you to search for a character typically interpreted as regular expression syntax
|
alert\?
matches
alert?
.
|
The following table shows some example filters you can use on the System Log page.
Table 69-7 System Log Filter Examples
To search for all log entries that...
|
|
Are generated on November 5
|
Nov[[:space:]]*5
|
Contain the user name “Admin”
|
Admin
|
Contain authorization debugging information on November 5
|
Nov[[:space:]]*5.*AUTH.*DEBUG
|
To search for specific message content in the system log:
Access:
Admin/Maint
Step 1 Select
System > Monitoring > Syslog
.
The System Log page appears.
Step 2 Enter a word or query in the filter field.
See the tables above for more information about the filter syntax you can use.
Note Only Grep-compatible search syntax is supported. For example, you could search for all NTP-related system log messages by using ntp
as a filter, or search for all messages generated in November by using Nov
as a filter. You could view messages from November 27th by using Nov[[:space:]]*27
or Nov.*27
, but you could not, however, use Nov 27
or Nov*27
to view these messages.
Step 3 Optionally, to make your search case-sensitive, check
Case-sensitive
. (By default, filters are not case-sensitive.)
Step 4 Optionally, check
Exclusion
to search for all system log messages that do
not
meet the criteria you entered.
Step 5 Click
Go
.
The messages that match the filter appear.