Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Audit Logs

Changes that are made by JSA users are recorded in the audit logs.

All audit logs are stored in plain text and are archived and compressed when the audit log file reaches 200 MB. The current log file is named audit.log. When the file reaches 200 MB, the file is compressed and renamed to audit.1.gz. The file number increments each time that a log file is archived. JSA stores up to 50 archived log files.

Audit log data is also stored in the SIM Audit-2 log source, which can be used for filtering and reporting to track how users interact with JSA. The data retention is determined by your event retention configuration.

Viewing the Audit Log File

Use Secure Shell (SSH) to log in to your JSA system and monitor changes to your system.

You can use Log Activity tab to view normalized audit log events.

The maximum size of any audit message, excluding date, time, and host name, is 1024 characters.

Each entry in the log file displays by using the following format:

<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>

The following table describes the log file format options.

Table 1: Description Of the Parts Of the Log File Format

File format part

Description

date_time

The date and time of the activity in the format: Month Date HH:MM:SS

host name

The host name of the Console where this activity was logged.

user

The name of the user who changed the settings.

IP address

The IP address of the user who changed the settings.

thread ID)

The identifier of the Java thread that logged this activity.

category

The high-level category of this activity.

sub-categor

The low-level category of this activity.

action

The activity that occurred.

payload

The complete record, which might include the user record or event rule, that changed.

  1. Using SSH, log in to JSA as the root user:

  2. User Name: root

  3. Password: password

  4. Go to the following directory:

    /var/log/audit

  5. Open and view the audit log file.

Creating Reports from Audit Log Searches in JSA

To help you track how users interact with JSA, create reports that are based on your search results.

  1. Click Log Activity > Add Filter.

  2. In the Add Filter window, configure the following settings:

    Table 2: Settings to Configure

    Settings to configure

    Value

    Parameter

    Log Source [Indexed]

    Operator

    Equals

    Log Source

    SIM Audit-2

  3. Click Add Filter.

  4. If events are streaming into the Log Activity tab, click Pause.

  5. From the View list, select a time interval.

  6. To save the search, click Save Criteria, provide a name for the search, and then click OK.

  7. To generate a report from your search result, follow these steps:

    1. From the Reports tab, click Actions > Create.

    2. Follow the report wizard.

    3. In the Saved Searches field, type the name of the search that you created for the SIM audit log source.

    4. Click Save Container Details.

    5. Finish the report wizard pages.

Logged Actions

The JSAr audit logs are in the /var/log/audit directory.

The following list describes the categories of actions that are in the audit log file:

  • Administrator Authentication--

    • Log in to the Administration Console.

    • Log out of the Administration Console.

  • Assets--

    • Delete an asset.

    • Delete all assets.

  • Audit Log Access--A search that includes events that have a high-level event category of Audit.

  • Backup and Recovery--

    • Edit the configuration.

    • Initiate the backup.

    • Complete the backup.

    • Fail the backup.

    • Delete the backup.

    • Synchronize the backup.

    • Cancel the backup.

    • Initiate the restore.

    • Upload a backup.

    • Upload an invalid backup.

    • Initiate the restore.

    • Purge the backup.

  • Chart Configuration--Save flow or event chart configuration.

  • Content Management--

    • Content export initiated.

    • Content export complete.

    • Content import initiated.

    • Content import complete.

    • Content update initiated.

    • Content update complete.

    • Content search initiated.

    • Applications added.

    • Applications modified.

    • Custom actions added.

    • Custom actions modified.

    • Ariel property added.

    • Ariel property modified.

    • Ariel property expression added.

    • Ariel property expression modified.

    • CRE rule added.

    • CRE rule modified.

    • Dashboard added.

    • Dashboard modified.

    • Device extension added.

    • Device extension modified.

    • Device extension association modified.

    • Grouping added.

    • Grouping modified.

    • Historical correlation profile added.

    • Historical correlation profile modified.

    • QID map entry added.

    • QID map entry modified.

    • Reference data created.

    • Reference data updated.

    • Security profile added.

    • Security profile modified.

    • Sensor device added.

    • Sensor device modified.

  • Custom Properties--

    • Add a custom event property.

    • Edit a custom event property.

    • Delete a custom event property.

    • Edit a custom flow property.

    • Delete a custom flow property.

  • Custom Property Expressions--

    • Add a custom event property expression.

    • Edit a custom event property expression.

    • Delete a custom event property expression.

    • Add a custom flow property expression.

    • Edit a custom flow property expression.

    • Delete a custom flow property expression.

  • Flow Sources--

    • Add a flow source.

    • Edit a flow source.

    • Delete a flow source.

  • Groups--

    • Add a group.

    • Delete a group.

    • Edit a group.

  • Historical Correlation--

    • Add a historical correlation profile.

    • Delete a historical correlation profile.

    • Modify a historical correlation profile.

    • Enable a historical correlation profile.

    • Disable a historical correlation profile.

    • Historical correlation profile is running.

    • Historical correlation profile is canceled.

  • Licensing--

    • Add a license key.

    • Delete a license key.

    • Delete license pool allocation.

    • Update license pool allocation.

  • Log Source Extension--

    • Add an log source extension.

    • Edit the log source extension.

    • Delete a log source extension.

    • Upload a log source extension.

    • Upload a log source extension successfully.

    • Upload an invalid log source extension.

    • Download a log source extension.

    • Report a log source extension.

    • Modify a log sources association to a device or device type.

  • Offenses--

    • Create an offense.

    • Hide an offense.

    • Close an offense.

    • Close all offenses.

    • Add a destination note.

    • Add a source note.

    • Add a network note.

    • Add an offense note.

    • Add a reason for closing offenses.

    • Edit a reason for closing offenses.

  • Protocol Configuration--

    • Add a protocol configuration.

    • Delete a protocol configuration.

    • Edit a protocol configuration.

  • QIDmap--

    • Add a QID map entry.

    • Edit a QID map entry.

  • JSA Vulnerability Manager --

    • Create a scanner schedule.

    • Update a scanner schedule.

    • Delete a scanner schedule.

    • Start a scanner schedule.

    • Pause a scanner schedule.

    • Resume a scanner schedule.

  • Reference Sets--

    • Create a reference set.

    • Edit a reference set.

    • Purge elements in a reference set.

    • Delete a reference set.

    • Add reference set elements.

    • Delete reference set elements.

    • Delete all reference set elements.

    • Import reference set elements.

    • Export reference set elements.

  • Reports--

    • Add a template.

    • Delete a template.

    • Edit a template.

    • Generate a report.

    • Delete a report.

    • Delete generated content.

    • View a generated report.

    • Email a generated report.

  • Retention Buckets--

    • Add a bucket.

    • Delete a bucket.

    • Edit a bucket.

    • Enable or disable a bucket.

  • Root Login--

    • Log in to JSA, as root user.

    • Log out of JSA, as root user.

  • Rules--

    • Add a rule.

    • Delete a rule.

    • Edit a rule.

  • Scanner--

    • Add a scanner.

    • Delete a scanner.

    • Edit a scanner.

  • Scanner Schedule--

    • Add a schedule.

    • Edit a schedule.

    • Delete a schedule.

  • Session Authentication--

    • Create an administration session.

    • Terminate an administration session.

    • Deny an invalid authentication session.

    • Expire a session authentication.

    • Create an authentication session.

    • Terminate an authentication session.

  • SIM--Clean a SIM model.

  • Store and Forward--

    • Add a Store and Forward schedule.

    • Edit a Store and Forward schedule.

    • Delete a Store and Forward schedule.

  • Syslog Forwarding--

    • Add a syslog forwarding.

    • Delete a syslog forwarding.

    • Edit a syslog forwarding.

  • System Management--

    • Shut down a system.

    • Restart a system.

  • User Accounts--

    • Add an account.

    • Edit an account.

    • Delete an account.

  • User Authentication--

    • Log in to the user interface.

    • Log out of the user interface.

  • User Authentication Ariel --

    • Deny a login attempt.

    • Add an Ariel property.

    • Delete an Ariel property.

    • Edit an Ariel property.

    • Add an Ariel property extension.

    • Delete an Ariel property extension.

    • Edit an Ariel property extension.

  • User Roles--

    • Add a role.

    • Edit a role.

    • Delete a role.

  • VIS--

    • Discover a new host.

    • Discover a new operating system.

    • Discover a new port.

    • Discover a new vulnerability.