Skip to content
  • There are no suggestions because the search field is empty.

Local Audit Log Locations

Local Audit Log LocationsLocal Audit Log Locations

NetWitness has global audit logging capabilities. When you configure global audit logging, audit logs from all NetWitness components collect in a centralized system, which converts them into the required format and forwards them to a third-party syslog server or a Log Decoder.

To view audit logs from the individual services, you can look at the local audit log locations.The following table shows the local directory paths of the audit logs for the NetWitness user interface and the various NetWitness services.

  • Service/Module: NetWitness User Interface
    (NetWitness Web Server)
  • Audit Log Location:

    The NetWitness user interface sends audit logs to the following locations:

    • /var/lib/netwitness/uax/logs/audit/audit.log (human-readable format)
    • Syslog running on the local host (JSON format)

    The NetWitness user interface uses the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (/var/lib/netwitness/uax/logs/audit/audit.log).


  • Service/Module: Core Services (Decoder, Log Decoder, Concentrator, Broker, and Archiver), Log Collector,
    Warehouse Connector, and Workbench
  • Audit Log Location:

    The Core services and similar services send audit logs to Syslog running on the local host.

    Path: /var/log/secure (JSON format)

    The Core services use the AUTHPRIV facility of syslog to write audit logs to syslog.


  • Service/Module:

    Reporting Engine,
    Malware Analysis,
    Respond,
    ESA Correlation (11.3 and later),

    and ​Event Stream Analysis

    (11.2 and earlier)

  • Audit Log Location:

    ​These services send audit logs to the following locations:

    • /logs/audit/audit.log (human-readable format)
    • Syslog running on the local host (JSON format)

    The following are the audit log locations of these services:

    Reporting Engine:

    /var/netwitness/re-server/rsa/soc/reporting-engine/logs/audit/audit.log

    Respond Server:

    /var/log/netwitness/respond-server/respond-server.audit.log

    Malware Analysis:

    /var/lib/netwitness/malware-analytics-server/spectrum/logs/audit/audit.log

    ESA Correlation (11.3 and later):

    /var/log/netwitness/correlation-server/correlation-server.audit.log

    Event Stream Analysis (11.2 and earlier):

    /opt/rsa/esa/logs/audit/audit.log

    These services use the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location ( /logs/audit/audit.log).


  • Service/Module: Health & Wellness, Event Source Management (ESM), and Appliance and Service Grouping (ASG)
  • Audit Log Location:

    These Services send audit logs to the following locations:

    • /opt/rsa/sms/logs/audit/audit.log (human-readable format)
    • Syslog running on the local host (JSON format)

    These services use the AUTH facility of syslog to write audit logs to syslog. You can only see audit logs in the first location (/opt/rsa/sms/logs/audit/audit.log).


  • Service/Module: Aggregated Audit Logs
  • Audit Log Location:

    The aggregated audit logs from all the services are sent to the following locations:

    • /var/netwitness/logstash/logs/rsa-netwitness-audit.log (JSON format)
    • Syslog running on the local host (human-readable format)

  • Column 1:
  • Column 2: