Auditing the system
Users with sufficient privileges can modify the system configuration in ways which could affect it or the customer environment. The audit feature enables you to track changes to the system configuration. All user-initiated events that modify the state or the behavior of the system are logged.
To use the audit feature, you must be logged in as a system user. If you are not a member of this group, you are shown the message
You do not have permission to run audit reports.
Reporting on audit events
You can configure the actions that will occur when the system's status changes. To do this:
From the main menu, click the Administration icon. The Administration page opens. In the Security section, click Audit.
To search for events, enter search criteria in all or some of the following fields:
- From—The start date and time of the search. The default for this field is 24 hours before the page was loaded.
- To—The end time and date of the search. The default for this is to display the following text in the To fields: Day Month Year hh mm. This means that the logs will be searched up to the current time.
- User ID—A filter to search only for events logged to a particular user, for example, the reporter user.
- Event group—A drop-down filter to search only for events belonging to a particular event group or category. The event group provides a means for viewing related event types. See event groups for a list of event groups.
When you have entered the search criteria, click Run to start the search. The page is refreshed to show a results table below the search panel.
You can only search the logs through the user interface (UI) using the fields in the Search audit records page. However, if you export the Results List by clicking Export as CSV, you can use a spreadsheet or text editor to perform detailed searches on the data. For example, you can search for events on a specific host.
Click Export as CSV and choose a location to save the file.
Each item in the result row is a hyperlink to the detailed record of the event.
The record data is divided into two sections:
The standard details that are recorded for every event are described in the following table:
The type of event.
The event group to which this event belongs. The purpose of the event group is to provide a filter for viewing related event types.
The user ID who initiated the event.
The full name of the user who initiated the event.
The name of the groups the user who initiated the event belongs.
When the event was logged.
Summary description of the event.
The details shown in the Additional Details section varies from event to event. For example, the following information is provided for a Windows proxy that has been pinged:
- IP address
- Windows proxy name
- Windows proxy type
When logging in to the user interface over an IPv6 connection, the client might use a temporary IPv6 address. It is this temporary IP address that is reported in the appliance audit log. Where temporary addresses are shown, tracing the particular computer from which the login came is difficult. To avoid this, you can disable temporary IPv6 addresses on client computers.
Audited events are collected into the following groups:
- Appliance Config
- Audit Log
- Datastore Edit
- Discovery Config
- Discovery Ruleset
- ECA Reasoning
- Windows proxy
- UI Access
The events that belong to these groups are shown on the Audit page in the user interface.
Purging the audit Log
You can purge the audit log of all events that are over one month old. Events less than one month old cannot be deleted. You can purge events using the Audit Purge page. To access the Audit Purge page, from the Audit section of the Administration tab, select Purge.
On the Audit Purge page, the log name, number of events, and the date and time of the oldest record is displayed. A selection drop-down list is displayed which enables you to select the purge until date. The following options are available:
- 1 month ago
- 3 months ago
- 6 months ago
- 12 months ago
- 24 months ago
This ensures that there is a minimum retention period of one month. Click Purge to purge the archive up to the Purge until date selected. When you click Purge, the operation commences immediately. You can navigate away from the page and continue with other tasks.
Purging archive information is also an auditable event. Therefore, after a purge, the newest event is a record of that purge.
There is no automatic purge of the audit information. When the audit information on the appliance becomes very large, you can use the appliance backup feature to create an archive.
A typical number of auditable events is approximately 1,000 per day. This equates to approximately 90,000 events in three months.
When deleting events, you can typically remove 500 events per second. Deleting 60,000 or more events will result in the browser timing out, however, the process continues.