auditing the system - cisco · can quickly return to it click bookmark this page. for more...

C H A P T E R 69
Auditing the System
You can audit activity on your system in two ways. The appliances that are part of the FireSIGHT System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log.

The following sections provide more information about the monitoring features that the system provides:

• Managing Audit Records, page 69-1 describes how to view and manage system audit information.

• Viewing the System Log, page 69-10 describes how to view the system log, which contains system status messages.

Tip Defense Centers and managed devices with Protection licenses also provide full reporting features that allow you to generate reports for almost any type of data accessible in an event view, including auditing data. For more information, see Working with Reports, page 57-1.

Managing Audit RecordsLicense: Any

Defense Centers and managed devices log read-only auditing information for user activity. Audit logs are presented in a standard event view that allows you to view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and can view detailed reports of the changes that users make.

The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.

Note If you reboot a Series 3 appliance, then log into the CLI as soon as you are able, any commands you execute are not recorded in the audit log until the web interface is available.

For more information, see the following sections:

• Viewing Audit Records, page 69-2

• Suppressing Audit Records, page 69-4

• Understanding the Audit Log Table, page 69-7

• Using the Audit Log to Examine Changes, page 69-7

• Searching Audit Records, page 69-8

69-1FireSIGHT System User Guide

Chapter 69 Auditing the System Managing Audit Records

Viewing Audit RecordsLicense: Any

You can use the appliance to view a table of audit records. Then, you can manipulate the view depending on the information you are looking for. The predefined audit workflow includes a single table view of events. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows, page 58-39.

The following table describes some of the specific actions you can perform on an audit log workflow page.

Table 69-1 Audit Log Actions

To... You can...

learn more about the contents of the columns in the table

find more information in Understanding the Audit Log Table, page 69-7.

modify the time range used when viewing audit records

find more information at Setting Event Time Constraints, page 58-23.

Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.

sort and constrain events on the current workflow page

find more information in Sorting Table View Pages and Changing Their Layout, page 58-34.

navigate within the current workflow page

find more information in Navigating to Other Pages in the Workflow, page 58-35.

navigate between pages in the current workflow, keeping the current constraints

click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages, page 58-18.

drill down to the next page in the workflow

use one of the following methods:

• To drill down to the next workflow page constraining on a specific value, click a value within a row. Note that this only works on drill-down pages. Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

• To drill down to the next workflow page constraining on some events, select the check boxes next to the events you want to view on the next workflow page, then click View.

• To drill down to the next workflow page keeping the current constraints, click View All.

Tip Table views always include “Table View” in the page name.

For more information, see Constraining Events, page 58-31.



To view audit records:

Access: Admin

Step 1 Select System > Monitoring > Audit.

The first (and only) page of the default audit log workflow appears. To use a different workflow, including a custom workflow, click (switch workflow). For information on specifying a different default workflow, see Configuring Event View Settings, page 71-3. If no events appear, you may need to adjust the time range. For more information, see Setting Event Time Constraints, page 58-23.

Tip If you are using a custom workflow that does not include the table view of audit events, click (switch workflow), then select Audit Log.

Working with Audit Events

License: Any

constraining on a specific value Click a value within a row.

If you click a value on a drill-down page, you move to the next page and constrain on the value.

Note that clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

Tip Table views always include “Table View“ in the page name.

For more information, see Constraining Events, page 58-31.

delete audit records use one of the following methods:

• To delete some items, select the check boxes next to events you want to delete, then click Delete.

• To delete all items in the current constrained view, click Delete All, then confirm you want to delete all the events.

temporarily use a different workflow click (switch workflow). For more information, see Selecting Workflows, page 58-16.

bookmark the current page so you can quickly return to it

click Bookmark This Page. For more information, see Using Bookmarks, page 58-37.

navigate to the bookmark management page

click View Bookmarks. For more information, see Using Bookmarks, page 58-37.

generate a report based on the data in the current view

click Report Designer. For more information, see Creating a Report Template from an Event View, page 57-9.

view a summary of a change recorded in the audit log

click the compare icon ( ) next to applicable events in the Message column. For more information, see Using the Audit Log to Examine Changes, page 69-7.

Table 69-1 Audit Log Actions (continued)

To... You can...



You can change the layout of the event view or constrain the events in the view by a field value. When disabling columns, after you click the close icon ( ) in the column heading that you want to hide, in the pop-up window that appears, click Apply. When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added.

To hide or show other columns, or to add a disabled column back to the view, select or clear the appropriate check boxes before you click Apply.

Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.

Tip Table views always include “Table View” in the page name.

For more information, see the following topics:

• Constraining Events, page 58-31.

• Using Compound Constraints, page 58-33

• Sorting Drill-Down Workflow Pages, page 58-34

• Understanding the Audit Log Table, page 69-7

Suppressing Audit RecordsLicense: Any

If your auditing policy does not require that you audit specific types of user interactions with the FireSIGHT System, you can prevent those interactions from generating audit records. For example, by default, each time a user views the online help, the FireSIGHT System generates an audit record. If you do not need to keep a record of these interactions, you can automatically suppress them.

To configure audit event suppression, you must have access to an appliance’s admin user account, and you must be able to either access the appliance’s console or open a secure shell.

Caution Make sure that only authorized personnel have access to the appliance and to its admin account.

To suppress audit records, you must create one or more files in the /etc/sf directory in the following form:

AuditBlock.type

where type is address, message, subsystem, or user.

Note If you create an AuditBlock.type file for a specific type of audit message, but later decide that you no longer want to suppress them, you must delete the contents of the AuditBlock.type file but leave the file itself on the FireSIGHT System.

The contents for each audit block type must be in a specific format, as described in the following table. Make sure you use the correct capitalization for the file names. Note also that the contents of the files are case sensitive.



Note that when you add an AuditBlock file, an audit record with a subsystem of Audit and a message of Audit Filter type Changed is added to the audit events. For security reasons, this audit record cannot be suppressed.

The following table lists audited subsystems.

Table 69-2 Audit Block Types

Type Description

Address Create a file named AuditBlock.address and include, one per line, each IP address that you want to suppress from the audit log. You can use partial IP addresses provided that they map from the beginning of the address. For example, the partial address 10.1.1 matches addresses from 10.1.1.0 through 10.1.1.255.

Message Create a file named AuditBlock.message and include, one per line, the message substrings that you want to suppress.

Note that substrings are matched so that if you include backup in your file, all messages that include the word backup are suppressed.

Subsystem Create a file named AuditBlock.subsystem and include, one per line, each subsystem that you want to suppress.

Note that substrings are not matched. You must use exact strings. See the Subsystem Names table for a list of subsystems that are audited.

User Create a file named AuditBlock.user and include, one per line, each user account that you want to suppress. You can use partial string matching provided that they map from the beginning of the username. For example, the partial username IPSAnalyst matches the user names IPSAnalyst1 and IPSAnalyst2.

Table 69-3 Subsystem Names

Name Includes user interactions with...

Admin Administrative features such as system and access configuration, time synchronization, backup and restore, device management, user account management, and scheduling

Alerting Alerting functions such as email, SNMP, and syslog alerting

Audit Log Audit event views

Audit Log Search Audit event searches

Command Line Command line interface

Configuration Email alerting

COOP Continuity of operations feature

Date Date and time range for event views

Default Subsystem Options that do not have assigned subsystems

Detection & Prevention Policy Menu options for intrusion policies

Error System-level errors

eStreamer eStreamer configuration

EULA Reviewing the end user license agreement

Events Intrusion and discovery event views



Events Clipboard Intrusion event clipboard

Events Reviewed Reviewed intrusion events

Events Search Any event search

Failed to install rule update rule_update_id

Installing rule updates

Header Initial presentation of the user interface after a user logs in

Health Health monitoring

Health Events Health monitoring event views

Help Online help

High Availability High availability feature

IDS Impact Flag Impact flag configuration

IDS Policy Intrusion policies

IDSPolicy > policy_name > Appliance > det_engine_name

Applying intrusion policies

IDSRule sid:sig_id rev:rev_num

Intrusion rules by SID

Incidents Intrusion incidents

Insert Policy Apply Job Applying policies

Install Installing updates

Intrusion Events Intrusion events

Login Web interface login and logout functions

Menu Any menu option

Configuration export > config_type > config_name

Importing configurations of a specific type and name

Permission Escalation User role escalation

Preferences User preferences, such as the time zone for a user account and individual event preferences

Policy Any policy, including intrusion policies

Register Registering devices on a Defense Center

RemoteStorageDevice Configuring remote storage devices

Reports Report listing and report designer features

Rules Intrusion rules, including the rule editor and the rule importation process

Rule Update Import Log Viewing the rule update import log

Rule Update Install Installing rule updates

Status Syslog, as well as host and performance statistics

System Various system-wide settings

System Policy > policy_name Appliance > appliance_name

Applying system policies

Table 69-3 Subsystem Names (continued)




Understanding the Audit Log TableLicense: Any

Each appliance generates an audit event for each user interaction with the web interface. Each event includes a time stamp, the user name of the user whose action generated the event, a source IP, and text describing the event. The fields in the audit log table are described in the following table.

Using the Audit Log to Examine ChangesLicense: Any

You can use the audit log to view detailed reports of changes to your system. These reports compare the current configuration of your system to its most recent configuration before a particular change.

A compare icon ( ) appears next to audit log events that reflect changes to the system. You can click the compare icon to access the Compare Configurations page and view a detailed report of a change.

The Compare Configurations page displays the differences between the system configuration before changes and the running configuration in a side-by-side format. The audit event type, time of last modification, and name of the user who made the change are displayed in the title bar above each configuration.

Task Queue Viewing the task queue

Users Creating and modifying user accounts and roles

Table 69-3 Subsystem Names (continued)


Table 69-4 Audit Log Fields

Field Description

Time Time and date that the appliance generated the audit record.

User User name of the user that triggered the audit event.

Subsystem Menu path the user followed to generate the audit record. For example, System > Monitoring > Audit is the menu path to view the audit log.

In a few cases where a menu path is not relevant, the Subsystem field displays only the event type. For example, Login classifies user login attempts.

Message Action the user performed.

For example, Page View signifies that the user simply viewed the page indicated in the Subsystem, while Save means that the user clicked the Save button on the page.

Changes made to the FireSIGHT System appear with a compare icon ( ) that you can click to see a summary of the changes. For more information, see Using the Audit Log to Examine Changes, page 69-7.

Source IP IP address associated with the host used by the user.

Count The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows.



Differences between the two configurations are highlighted:

• Blue indicates that the highlighted setting is different in the two configurations, and the difference is noted in red text.

• Green indicates that the highlighted setting appears in one configuration but not the other.

To examine a change in the audit log:

Access: Admin

Step 1 Select System > Monitoring > Audit.

The first page of the default audit log workflow appears.

If you are using a custom workflow that does not include the table view of audit events, click (switch workflow), then select Audit Log.

Step 2 Click the compare icon ( ) next to an applicable audit log event in the Message column.

The Compare Configurations page appears. Note that you can navigate through changes individually by clicking Previous or Next above the title bar. If the change summary is more than one page long, you can also use the scroll bar on the right to view additional changes.

Searching Audit RecordsLicense: Any

You can search audit records to find information specific to a user, a specific subsystem, or an audit record message.

You may want to create searches customized for your network environment, then save them to reuse later. The search criteria you can use are described in the following table. Note that audit searches are not case sensitive. For example, searching for Analyst01 or analyst01 yields the same results.

Table 69-5 Audit Record Search Criteria

Search Field Description Example

User Enter the user name of the user who triggered the audit events you want to see. You can use an asterisk (*) as a wildcard character in this field.

jsmith returns all audit records involving the user jsmith.

Subsystem Enter the full menu path a user would follow to generate the audit records you want to see. You can use an asterisk (*) as a wildcard character in this field.

System > Monitoring > Audit and *Audit both return audit records that involve using the audit log.

*Audit* returns all of the above records, plus records that involve searching for audit records.

Message The action the user performed or the button the user clicked on the page. You can use an asterisk (*) as a wildcard character in this field.

Apply returns audit records where the user applied an intrusion policy.

Save Rule returns audit records where the user saved a correlation rule.

Page View returns audit records where the user viewed the page.



For more information on searching, including how to load and delete saved searches, see Searching for Events, page 60-1.

To search for audit records:

Access: Admin

Step 1 Select Analysis > Search.

The Search page appears.

Step 2 Select Audit Log Events from the table drop-down list.

The Audit Log search page appears.

Tip To search the database for a different kind of event, select it from the table drop-down list.

Step 3 Enter your search criteria in the appropriate fields, as described in the Audit Record Search Criteria table.

If you enter criteria for multiple fields, the search returns only the records that match search criteria specified for all fields.

Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.

Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.

Step 5 Optionally, you can save the search to be used again in the future. You have the following options:

• Click Save to save the search criteria.

For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save. If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private) so that you can run it at a later time.

Time Specify the date and time the audit record was generated. See Specifying Time Constraints in Searches, page 60-5 for the syntax for entering time.

> 2006-01-15 13:30:00 returns all audit records generated after January 15, 2006 at 1:30 PM.

Source IP Enter the IP address of the host that you want to view audit records for.

Note You must type a specific IP address. You cannot use IP ranges when searching audit logs.

172.16.1.37 returns all audit records generated by a user from the 172.16.1.37 IP address.

Configuration Change Specify whether or not you want to view audit records of configuration changes.

yes returns audit records of configuration changes.

Table 69-5 Audit Record Search Criteria (continued)

Search Field Description Example


Chapter 69 Auditing the System Viewing the System Log

• Click Save As New to save a new search or assign a name to a search you created by altering a previously-saved search.

A dialog box appears prompting for the name of the search; enter a unique search name and click Save. The search is saved (and visible only to your account if you selected Private) so that you can run it at a later time.

Step 6 Click Search to start the search.

Your search results appear in the default audit log workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click (switch workflow). For information on specifying a different default workflow, see Configuring Event View Settings, page 71-3.

Viewing the System LogLicense: Any

The System Log (syslog) page provides you with system log information for the appliance. The system log displays each message generated by the system. The following items are listed in order:

• the date that the message was generated

• the time that the message was generated

• the host that generated the message

• the message itself

Note System log information is local. For example, you cannot use the Defense Center to view system status messages in the system logs on your managed devices.

You can view system log messages for specific components by using the filter feature. For more information, see Filtering System Log Messages, page 69-10.

To view the syslog:

Access: Admin/Maint

Step 1 Select System > Monitoring > Syslog.

The System Log page appears.

Tip On the 3D9900, the Load Balancing Interface Module (LBIM) forwards messages to the device's syslog. You can find these messages by filtering on lbim.

Filtering System Log MessagesLicense: Any



You can view system log messages for specific components by using the filter feature. Filtering allows you to search for specific messages based on content.

The filter functionality uses the UNIX file search utility Grep, and as such, you can use most syntax accepted by Grep. This includes using Grep-compatible regular expressions for pattern matching. You can use a single word as a filter, or you can use Grep-supported regular expressions to search for content.

The following table shows the regular expression syntax you can use in System Log filters:

The following table shows some example filters you can use on the System Log page.

To search for specific message content in the system log:

Access: Admin/Maint

Step 1 Select System > Monitoring > Syslog.

The System Log page appears.

Step 2 Enter a word or query in the filter field.

See the tables above for more information about the filter syntax you can use.

Table 69-6 System Log Filter Syntax

Syntax Component Description Example

. Matches any character or white space Admi. matches Admin, AdmiN, Admi1, and Admi&

[[:alpha:]] Matches any alphabetic character [[:alpha:]]dmin matches Admin, bdmin, and Cdmin

[[:upper:]] Matches any uppercase alphabetic character [[:upper:]]dmin matches Admin, Bdmin, and Cdmin

[[:lower:]] Matches any lowercase alphabetic character [[:lower:]]dmin matches admin, bdmin, and cdmin

[[:digit:]] Matches any numeric character [[:digit:]]dmin matches 0dmin, 1dmin, and 2dmin

[[:alnum:]] Matches any alphanumeric character [[:alnum:]]dmin matches 1dmin, admin, 2dmin, and bdmin

[[:space:]] Matches any white space, including tabs Feb[[:space:]]29 matches logs from February 29th.

* Matches zero or more instances of the character or expression it follows

ab* matches a, ab, abb, ca, cab, and cabb

[ab]* matches anything

? Matches zero or one instances ab? matches a or ab.

\ Allows you to search for a character typically interpreted as regular expression syntax

alert\? matches alert?.

Table 69-7 System Log Filter Examples

To search for all log entries that... Use...

Are generated on November 5 Nov[[:space:]]*5

Contain the user name “Admin” Admin

Contain authorization debugging information on November 5

Nov[[:space:]]*5.*AUTH.*DEBUG



Note Only Grep-compatible search syntax is supported. For example, you could search for all NTP-related system log messages by using ntp as a filter, or search for all messages generated in November by using Nov as a filter. You could view messages from November 27th by using Nov[[:space:]]*27 or Nov.*27, but you could not, however, use Nov 27 or Nov*27 to view these messages.

Step 3 Optionally, to make your search case-sensitive, check Case-sensitive. (By default, filters are not case-sensitive.)

Step 4 Optionally, check Exclusion to search for all system log messages that do not meet the criteria you entered.

Step 5 Click Go.

The messages that match the filter appear.


auditing the system - cisco · can quickly return to it click bookmark this page. for more...

Documents