Audit Event Logs
last edited on: Sep. 14, 2022
Audit events track important activity within the system including file events, permission changes and configuration information. Events may be initiated by users, or they may be generated from system events including background tasks and synchronization events.
The Audit logs are available when logged in as the tenant Admin from the Audit Reports section of the Admin options.
Audit logs can be filtered, archived, and/or exported.
Audit logs can capture information that is specific to a tenant user but also file sharing information such as the remote IP address of users accessing file shares. System tasks can also be captured by the audit event logs, dependent on the granularity that has been set. Audit events that have an IP address of 1.1.1.1 are system-generated events, that may or may not be based on user interaction.
If you want to enable the Audit logs to be accessible from the base OS then you can configure the logs to be output to syslog and they will be available in both places.
To enable audit logs see step 4.
To view and export audit logs see step 5.
Writing Audit Event Logs to syslog
Step 1 - Appliance Admin Setting
syslog is a standard for message logging. It allows separation of the software that generates messages and is often used from a software perspective for security audit logging. Such messages can subsequently be integrated into log aggregation tools such as Splunk.
Splunk is widely used among enterprise security teams for breach investigations. Enabling syslog provides the ability to feed audit events into Splunk, enabling companies to evaluate potential data breaches through the same means they use to investigate issues with other internally used applications and/or services.
The syslog functionality can be enabled by logging in as appladmin, going to Site Functionality and setting “Enable write audit events to syslog” to yes.
Step 2 - Organization Admin Setting
Login as org admin to your account and from the Organization Menu go to Policies > Security and set “Write Audit Events to syslog file:” to yes
The audit logs now will be written to /var/log/messages in the appliance
Sending syslog Entries to rsyslog Service
Appliance:
SSH in as smeconfiguser and then su to root. Edit /etc/rsyslog.conf and at the bottom of file add line:
*.* @IP_OF_REMOTE_SYSLOG
Restart the syslog service:
%%systemctl restart rsyslog%%
The logs will be sent using UDP protocol and by default port 514 is used.
Install rsyslog:
If you have not already done so, you will need to install and configure rsyslog on a separate machine please see http://www.rsyslog.com/