Recommendations for audit logging in an NetWitness environment

Tasks

Many users wish to collect audit logs from their Security Analytics environment in order to monitor the activity of their analysts and administrators.

In Security Analytics 10.5, the ability to perform global audit logging was introduced, which allows audit logs to be collected for the following user activities:

User login success
User login failure
User logouts
Maximum Login failures exceeded
All UI pages accessed
Committed configuration changes (including when a user changes their own password)
Queries performed by the user
User access denied
Data export operations

It is recommended that all customers who wish to perform audit logging upgrade to Security Analytics 10.5 to utilize this feature, which is fully supported by RSA. More information on global audit logging can be found in the Security Analytics 10.5 User Guide.

Notes

As an alternative method for Security Analytics versions 10.3.x and 10.4.x, a custom Security Analytics Log Parser has been published on the EMC Community Network (ECN) that will parse the audit logs for the environment so that they can be used in reports, investigations, and ESA alerts.

As the content was written by a community member, it is officially unsupported by RSA. However, it has received a lot of positive feedback from both RSA employees and customers. The current version of the log parser at the time of writing is 2.1.63, and it was tested on Security Analytics versions 10.3.5 and 10.4.0.2.

Internal Comments

Jeff Shurtliff -- 7/6/2015
This article was written to be internal, but the information can be shared with customers as needed.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 11.x, 12.x or later
Platform: CentOS/Alma Linux

Summary

This article covers the recommendations for collecting and monitoring audit logs from the Security Analytics environment.

Approval Reviewer Queue

Technical approval queue