- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Auditing the System
You can audit activity on your system in two ways. The appliances that are part of the FireSIGHT System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log.
The following sections provide more information about the monitoring features that the system provides:
- Managing Audit Records describes how to view and manage system audit information.
- Viewing the System Log describes how to view the system log, which contains system status messages.
Tip Defense Centers and managed devices with Protection licenses also provide full reporting features that allow you to generate reports for almost any type of data accessible in an event view, including auditing data. For more information, see Working with Reports.
Managing Audit Records
Defense Centers and managed devices log read-only auditing information for user activity. Audit logs are presented in a standard event view that allows you to view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and can view detailed reports of the changes that users make.
The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.
Note If you reboot a Series 3 appliance, then log into the CLI as soon as you are able, any commands you execute are not recorded in the audit log until the web interface is available.
For more information, see the following sections:
- Viewing Audit Records
- Suppressing Audit Records
- Understanding the Audit Log Table
- Using the Audit Log to Examine Changes
- Searching Audit Records
Viewing Audit Records
You can use the appliance to view a table of audit records. Then, you can manipulate the view depending on the information you are looking for. The predefined audit workflow includes a single table view of events. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows.
The following table describes some of the specific actions you can perform on an audit log workflow page.
find more information in Understanding the Audit Log Table. |
|
find more information at Setting Event Time Constraints. Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance. |
|
find more information in Sorting Table View Pages and Changing Their Layout. |
|
find more information in Navigating to Other Pages in the Workflow. |
|
navigate between pages in the current workflow, keeping the current constraints |
click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages. |
use one of the following methods:
For more information, see Constraining Events. |
|
|
If you click a value on a drill-down page, you move to the next page and constrain on the value. Note that clicking a value within a row in a table view constrains the table view and does not drill down to the next page. For more information, see Constraining Events. |
|
click (switch workflow) . For more information, see Selecting Workflows. |
|
click Bookmark This Page . For more information, see Using Bookmarks. |
|
click View Bookmarks . For more information, see Using Bookmarks. |
|
click Report Designer . For more information, see Creating a Report Template from an Event View. |
|
click the compare icon ( |
Step 1 Select System > Monitoring > Audit .
The first (and only) page of the default audit log workflow appears. To use a different workflow, including a custom workflow, click (switch workflow) . For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range. For more information, see Setting Event Time Constraints.
Tip If you are using a custom workflow that does not include the table view of audit events, click (switch workflow), then select Audit Log.
Working with Audit Events
You can change the layout of the event view or constrain the events in the view by a field value. When disabling columns, after you click the close icon (
) in the column heading that you want to hide, in the pop-up window that appears, click
Apply
. When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added.
To hide or show other columns, or to add a disabled column back to the view, select or clear the appropriate check boxes before you click Apply .
Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.
Tip Table views always include “Table View” in the page name.
Suppressing Audit Records
If your auditing policy does not require that you audit specific types of user interactions with the FireSIGHT System, you can prevent those interactions from generating audit records. For example, by default, each time a user views the online help, the FireSIGHT System generates an audit record. If you do not need to keep a record of these interactions, you can automatically suppress them.
To configure audit event suppression, you must have access to an appliance’s
admin
user account, and you must be able to either access the appliance’s console or open a secure shell.
Caution Make sure that only authorized personnel have access to the appliance and to its
admin account.
To suppress audit records, you must create one or more files in the
/etc/sf
directory in the following form:
where
type
is
address
,
message
,
subsystem
, or
user
.
Note If you create an AuditBlock.type file for a specific type of audit message, but later decide that you no longer want to suppress them, you must delete the contents of the AuditBlock.type file but leave the file itself on the FireSIGHT System.
The contents for each audit block type must be in a specific format, as described in the following table. Make sure you use the correct capitalization for the file names. Note also that the contents of the files are case sensitive.
Create a file named |
|
Create a file named
Note that substrings are matched so that if you include |
|
Create a file named Note that substrings are not matched. You must use exact strings. See the Subsystem Names table for a list of subsystems that are audited. |
|
Create a file named |
Note that when you add an
AuditBlock
file, an audit record with a subsystem of
Audit
and a message of
Audit Filter
type
Changed
is added to the audit events. For security reasons, this audit record
cannot
be suppressed.
The following table lists audited subsystems.
Understanding the Audit Log Table
Each appliance generates an audit event for each user interaction with the web interface. Each event includes a time stamp, the user name of the user whose action generated the event, a source IP, and text describing the event. The fields in the audit log table are described in the following table.
Time and date that the appliance generated the audit record. |
|
Menu path the user followed to generate the audit record. For example, System > Monitoring > Audit is the menu path to view the audit log. In a few cases where a menu path is not relevant, the Subsystem field displays only the event type. For example, Login classifies user login attempts. |
|
|
For example,
Changes made to the FireSIGHT System appear with a compare icon ( |
|
The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. |
Using the Audit Log to Examine Changes
You can use the audit log to view detailed reports of changes to your system. These reports compare the current configuration of your system to its most recent configuration before a particular change.
A compare icon (
) appears next to audit log events that reflect changes to the system. You can click the compare icon to access the Compare Configurations page and view a detailed report of a change.
The Compare Configurations page displays the differences between the system configuration before changes and the running configuration in a side-by-side format. The audit event type, time of last modification, and name of the user who made the change are displayed in the title bar above each configuration.
Differences between the two configurations are highlighted:
- Blue indicates that the highlighted setting is different in the two configurations, and the difference is noted in red text.
- Green indicates that the highlighted setting appears in one configuration but not the other.
To examine a change in the audit log:
Step 1 Select System > Monitoring > Audit .
The first page of the default audit log workflow appears.
If you are using a custom workflow that does not include the table view of audit events, click (switch workflow) , then select Audit Log .
Step 2 Click the compare icon (
) next to an applicable audit log event in the
Message
column.
The Compare Configurations page appears. Note that you can navigate through changes individually by clicking Previous or Next above the title bar. If the change summary is more than one page long, you can also use the scroll bar on the right to view additional changes.
Searching Audit Records
You can search audit records to find information specific to a user, a specific subsystem, or an audit record message.
You may want to create searches customized for your network environment, then save them to reuse later. The search criteria you can use are described in the following table. Note that audit searches are not case sensitive. For example, searching for
Analyst01
or
analyst01
yields the same results.
Enter the user name of the user who triggered the audit events you want to see. You can use an asterisk ( |
||
Enter the full menu path a user would follow to generate the audit records you want to see. You can use an asterisk ( |
|
|
The action the user performed or the button the user clicked on the page. You can use an asterisk ( |
|
|
Specify the date and time the audit record was generated. See Specifying Time Constraints in Searches for the syntax for entering time. |
|
|
Enter the IP address of the host that you want to view audit records for. Note You must type a specific IP address. You cannot use IP ranges when searching audit logs. |
|
|
Specify whether or not you want to view audit records of configuration changes. |
For more information on searching, including how to load and delete saved searches, see Searching for Events.
Step 1 Select Analysis > Search .
Step 2 Select Audit Log Events from the table drop-down list.
The Audit Log search page appears.
Tip To search the database for a different kind of event, select it from the table drop-down list.
Step 3 Enter your search criteria in the appropriate fields, as described in the Audit Record Search Criteria table.
If you enter criteria for multiple fields, the search returns only the records that match search criteria specified for all fields.
Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 5 Optionally, you can save the search to be used again in the future. You have the following options:
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
Step 6 Click Search to start the search.
Your search results appear in the default audit log workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click (switch workflow) . For information on specifying a different default workflow, see Configuring Event View Settings.
Viewing the System Log
The System Log (syslog) page provides you with system log information for the appliance. The system log displays each message generated by the system. The following items are listed in order:
- the date that the message was generated
- the time that the message was generated
- the host that generated the message
- the message itself
Note System log information is local. For example, you cannot use the Defense Center to view system status messages in the system logs on your managed devices.
You can view system log messages for specific components by using the filter feature. For more information, see Filtering System Log Messages.
Step 1 Select System > Monitoring > Syslog .
Tip On the 3D9900, the Load Balancing Interface Module (LBIM) forwards messages to the device's syslog. You can find these messages by filtering on lbim.
Filtering System Log Messages
You can view system log messages for specific components by using the filter feature. Filtering allows you to search for specific messages based on content.
The filter functionality uses the UNIX file search utility Grep, and as such, you can use most syntax accepted by Grep. This includes using Grep-compatible regular expressions for pattern matching. You can use a single word as a filter, or you can use Grep-supported regular expressions to search for content.
The following table shows the regular expression syntax you can use in System Log filters:
Matches zero or more instances of the character or expression it follows |
||
Allows you to search for a character typically interpreted as regular expression syntax |
The following table shows some example filters you can use on the System Log page.
To search for specific message content in the system log:
Step 1 Select System > Monitoring > Syslog .
Step 2 Enter a word or query in the filter field.
See the tables above for more information about the filter syntax you can use.
Note Only Grep-compatible search syntax is supported. For example, you could search for all NTP-related system log messages by using ntp as a filter, or search for all messages generated in November by using Nov as a filter. You could view messages from November 27th by using Nov[[:space:]]*27 or Nov.*27, but you could not, however, use Nov 27 or Nov*27 to view these messages.
Step 3 Optionally, to make your search case-sensitive, check Case-sensitive . (By default, filters are not case-sensitive.)
Step 4 Optionally, check Exclusion to search for all system log messages that do not meet the criteria you entered.
The messages that match the filter appear.
Feedback