Skip to content
  • There are no suggestions because the search field is empty.

Security Configuration: Log Settings

Tags: Version 11.4

A log is a chronological record of system activities that enables the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security‐relevant transaction.

Global Audit Logging provides NetWitness Platform Auditors with consolidated visibility into user activities within NetWitness Platform in real-time from one centralized location. NetWitness Platform audit logs are collected in a centralized system that converts them into the required format and forwards them to an external syslog system. The external syslog system can be a third-party syslog server or a Log Decoder. For more information, see "Global Audit Logging Overview" topic in the System Configuration Guide.

Log Description

The following table shows the security‐relevant logs provided by RSA NetWitness Platform.

  • Component: Appliance and Service Logs
  • Reference: See "Services Explore View and Services Logs View" topics in the Host and Services Configuration Guides and "Configure Log File Settings" topic in the System Configuration Guide.

  • Component: Audit Logs
  • Reference: See " Configure Global Audit Logging" topic in System Configuration Guide.

  • Component: Syslogs
  • Reference: See " Configure Syslog and SNMP Settings" topic in the System Configuration Guide.

Log Management and Retrieval

For more information on:

  • Log settings, see "Configure Log File Settings" topic in the System Configuration Guide.

    Note: RSA recommends that you set the maximum log file size in accordance to your corporate policy.

  • Log forwarding, see "Set Syslog Forwarding" topic in the Host and Services Configuration Guides.
  • Setting log overrides:

    You may override the default logging levels if you want to include messages generated by specific modules.

    Syntax: =

    SDK-Language=none

    Where level is one or more of “none|debug|info|warning|failure|audit|all", all options must be separated by a pipe |

    none and all are mutually exclusive with each other and all other options.

    Overrides are useful for query auditing (that is, those modules that begin with SDK‐) or for debugging by module (that is, Index)

    • Data
    • Engine
    • Index
    • Network
    • Packet
    • Parse
    • Decoder
    • Rules
    • Concentrator
    • Appliance
    • SDK
    • SDK‐Query
    • SDK‐Values
    • SDK‐Language
    • SDK‐Info
    • SDK‐Session
    • SDK‐Timeline
    • SDK‐Content
    • SDK‐Search

Note: RSA recommends that you restrict permissions to the log files folder to the appropriate user.

Previous Topic: Component Authentication
You are here
Table of Contents > Security Configuration Settings > Log Settings