Changes that are made by JSA users are recorded in the audit logs.
All audit logs are stored in plain text and are archived and
compressed when the audit log file reaches 200 MB. The current log
file is named
audit.log. When the
file reaches 200 MB, the file is compressed and renamed to
audit.1.gz. The file number increments each time
that a log file is archived. JSA stores up to 50 archived
Audit log data
is also stored in the
SIM Audit-2 log source,
which can be used for filtering and reporting to track how users interact
with JSA. The data retention is determined by your event retention
Viewing the Audit Log File
Use Secure Shell (SSH) to log in to your JSA system and monitor changes to your system.
You can use Log Activity tab to view normalized audit log events.
The maximum size of any audit message, excluding date, time, and host name, is 1024 characters.
Each entry in the log file displays by using the following format:
<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>
The following table describes the log file format options.
Table 1: Description Of the Parts Of the Log File Format
File format part
The date and time of the activity in the format: Month Date HH:MM:SS
The host name of the Console where this activity was logged.
The name of the user who changed the settings.
The IP address of the user who changed the settings.
The identifier of the Java thread that logged this activity.
The high-level category of this activity.
The low-level category of this activity.
The activity that occurred.
The complete record, which might include the user record or event rule, that changed.
- Using SSH, log in to JSA as the root user:
- User Name: root
- Password: password
- Go to the following directory:
- Open and view the audit log file.
Creating Reports from Audit Log Searches in JSA
To help you track how users interact with JSA, create reports that are based on your search results.
- Click Log Activity > Add Filter.
- In the Add Filter window, configure the following
Table 2: Settings to Configure
Settings to configure
Log Source [Indexed]
- Click Add Filter.
- If events are streaming into the Log Activity tab, click Pause.
- From the View list, select a time interval.
- To save the search, click Save Criteria, provide a name for the search, and then click OK.
- To generate a report from your search result, follow these
From the Reports tab, click Actions > Create.
Follow the report wizard.
In the Saved Searches field, type the name of the search that you created for the SIM audit log source.
Click Save Container Details.
Finish the report wizard pages.
The JSAr audit logs are in the
The following list describes the categories of actions that are in the audit log file:
Log in to the Administration Console.
Log out of the Administration Console.
Delete an asset.
Delete all assets.
Audit Log Access--A search that includes events that have a high-level event category of Audit.
Backup and Recovery--
Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Initiate the restore.
Upload a backup.
Upload an invalid backup.
Initiate the restore.
Purge the backup.
Chart Configuration--Save flow or event chart configuration.
Content export initiated.
Content export complete.
Content import initiated.
Content import complete.
Content update initiated.
Content update complete.
Content search initiated.
Custom actions added.
Custom actions modified.
Ariel property added.
Ariel property modified.
Ariel property expression added.
Ariel property expression modified.
CRE rule added.
CRE rule modified.
Device extension added.
Device extension modified.
Device extension association modified.
Historical correlation profile added.
Historical correlation profile modified.
QID map entry added.
QID map entry modified.
Reference data created.
Reference data updated.
Security profile added.
Security profile modified.
Sensor device added.
Sensor device modified.
Add a custom event property.
Edit a custom event property.
Delete a custom event property.
Edit a custom flow property.
Delete a custom flow property.
Custom Property Expressions--
Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Add a custom flow property expression.
Edit a custom flow property expression.
Delete a custom flow property expression.
Add a flow source.
Edit a flow source.
Delete a flow source.
Add a group.
Delete a group.
Edit a group.
Add a historical correlation profile.
Delete a historical correlation profile.
Modify a historical correlation profile.
Enable a historical correlation profile.
Disable a historical correlation profile.
Historical correlation profile is running.
Historical correlation profile is canceled.
Add a license key.
Delete a license key.
Delete license pool allocation.
Update license pool allocation.
Log Source Extension--
Add an log source extension.
Edit the log source extension.
Delete a log source extension.
Upload a log source extension.
Upload a log source extension successfully.
Upload an invalid log source extension.
Download a log source extension.
Report a log source extension.
Modify a log sources association to a device or device type.
Create an offense.
Hide an offense.
Close an offense.
Close all offenses.
Add a destination note.
Add a source note.
Add a network note.
Add an offense note.
Add a reason for closing offenses.
Edit a reason for closing offenses.
Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.
Add a QID map entry.
Edit a QID map entry.
JSA Vulnerability Manager --
Create a scanner schedule.
Update a scanner schedule.
Delete a scanner schedule.
Start a scanner schedule.
Pause a scanner schedule.
Resume a scanner schedule.
Create a reference set.
Edit a reference set.
Purge elements in a reference set.
Delete a reference set.
Add reference set elements.
Delete reference set elements.
Delete all reference set elements.
Import reference set elements.
Export reference set elements.
Add a template.
Delete a template.
Edit a template.
Generate a report.
Delete a report.
Delete generated content.
View a generated report.
Email a generated report.
Add a bucket.
Delete a bucket.
Edit a bucket.
Enable or disable a bucket.
Log in to JSA, as root user.
Log out of JSA, as root user.
Add a rule.
Delete a rule.
Edit a rule.
Add a scanner.
Delete a scanner.
Edit a scanner.
Add a schedule.
Edit a schedule.
Delete a schedule.
Create an administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.
SIM--Clean a SIM model.
Store and Forward--
Add a Store and Forward schedule.
Edit a Store and Forward schedule.
Delete a Store and Forward schedule.
Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.
Shut down a system.
Restart a system.
Add an account.
Edit an account.
Delete an account.
Log in to the user interface.
Log out of the user interface.
User Authentication Ariel --
Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.
Add a role.
Edit a role.
Delete a role.
Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.