Skip to content
  • There are no suggestions because the search field is empty.

Security Configuration: Log Settings

Tags: Version 11.5

    A log is a chronological record of system activities that enables the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security‐relevant transaction.

    Global Audit Logging provides NetWitness Platform Auditors with consolidated visibility into user activities within NetWitness Platform in real-time from one centralized location. NetWitness Platform audit logs are collected in a centralized system that converts them into the required format and forwards them to an external syslog system. The external syslog system can be a third-party syslog server or a Log Decoder. For more information, see "Global Audit Logging Overview" in the System Configuration Guide.

    Log Description

    The following table shows the security‐relevant logs provided by RSA NetWitness Platform.

    • Component: Appliance and Service Logs
    • Reference: See the "Services Explore View" and "Services Logs View" in the Host and Services Configuration Guides and "Configure Log File Settings" in the System Configuration Guide.

    • Component: Audit Logs
    • Reference: See "Configure Global Audit Logging" in System Configuration Guide.

    • Component: Syslogs
    • Reference: See "Configure Syslog and SNMP Settings" in the System Configuration Guide.

    Log Management and Retrieval

    For more information on:

    • Log settings, see "Configure Log File Settings" in the System Configuration Guide.

      Note: RSA recommends that you set the maximum log file size in accordance to your corporate policy.

    • Log forwarding, see "Set Syslog Forwarding" in the Host and Services Configuration Guide.
    • Setting log overrides:

      You may override the default logging levels if you want to include messages generated by specific modules.

      Syntax: =

      SDK-Language=none

      Where level is one or more of “none|debug|info|warning|failure|audit|all", all options must be separated by a pipe |

      none

      and

      all

      are mutually exclusive with each other and all other options.

      Overrides are useful for query auditing (that is, those modules that begin with SDK‐) or for debugging by module (that is, Index). The following are the type of logs available :

      • Data
      • Engine
      • Index
      • Network
      • Packet
      • Parse
      • Decoder
      • Rules
      • Concentrator
      • Appliance
      • SDK
      • SDK‐Query
      • SDK‐Values
      • SDK‐Language
      • SDK‐Info
      • SDK‐Session
      • SDK‐Timeline
      • SDK‐Content
      • SDK‐Search

    Note: RSA recommends that you restrict permissions to the log files folder to the appropriate user.

    Previous Topic: Component Authentication
    You are here
    Table of Contents > Security Configuration Settings > Log Settings