Configure auditing on the appliance

Configure auditing on the appliance

Use the Audit Configuration feature to enable logging of audit events.

To use a syslog server on a remote machine, ensure that we have the information of the location of the syslog server.
To use a TLS type protocol, ensure the server certificate was imported into the chosen certificate database.
To use client certificate to authenticate to the syslog server, ensure the certificate is trusted by the syslog server. The certificate must be imported into the chosen certificate database.

ISAM provides the capability of collecting and processing system log (syslog) messages. To enable complete the steps on the audit configuration page. This auditing configuration is used by all runtime components.
Steps

Select...
Monitor Analysis and Diagnostics > Logs > Audit Configuration > Select Enable audit log

Set the location of the syslog server.

On this appliance

Audit events are sent to a syslog server on this appliance. If we select the local syslog server, no additional mandatory configuration is needed. To tune the default configuration settings, proceed to step 5. If we configure auditing to use a local syslog server, see View application log files, to view the audit logs.

On a remote machine

Audit events are sent to a syslog server on a remote machine.

Field Default Values Description

Host None Host name of the syslog server.

Port 514 Port of the syslog server.

Protocol UDP Type of transport protocol to use to transmit syslog messages. Though UDP is the default value, TLS is the preferred protocol for production environments.

Certificate database (truststore) None Truststore to use to validate the certificate of the syslog server. This field is enabled only when the transport layer protocol type selected is TLS.

Enable client certificate authentication Disabled If enabled, the client is able to do client certificate authentication during the SSL handshake upon server request.

Certificate database (keystore) None Keystore to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.

Certificate label None Personal certificate to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.

Enable disk failover Disabled If enabled, audit events are logged to a local disk file when an error occurs during the SSL connection to the remote syslog server. If we enable disk failover the audit events are logged to local disk files that follow the naming pattern ISAMAudit0.log.nn, where nn is a number that uniquely identifies a local disk file. The local disk file can be viewed at the same location as the local syslog server audit logs.

If we choose to use default values for tuning, we can complete the configuration by clicking Save. Otherwise, proceed with the subsequent steps. To discard changes, click Refresh.
Optional: Click Tuning. Provide the following information:

Field Default Value Description

Event Queue Size 1000 Maximum number of audit events the event queue can hold. Syslog messages are queued in the memory before they are sent to the syslog server.

Queue Full Timeout (seconds) -1 Number of seconds to wait before an incoming event is discarded when the queue is full. A value of 0 indicates that new events are discarded immediately if the queue is full. A value of -1 indicates that new events wait perpetually for the queue to have a vacancy.

Sender Threads 1 Number of sender threads, which drain the audit events from the queue to send to the syslog server.

Error Retry Count 2 Number of times the syslog client tries to establish a connection with the server again if it fails in the first attempt.

Click Save. Otherwise, click Refresh to discard changes.

Parent topic: Audit

Field	Default Values	Description
Host	None	Host name of the syslog server.
Port	514	Port of the syslog server.
Protocol	UDP	Type of transport protocol to use to transmit syslog messages. Though UDP is the default value, TLS is the preferred protocol for production environments.
Certificate database (truststore)	None	Truststore to use to validate the certificate of the syslog server. This field is enabled only when the transport layer protocol type selected is TLS.
Enable client certificate authentication	Disabled	If enabled, the client is able to do client certificate authentication during the SSL handshake upon server request.
Certificate database (keystore)	None	Keystore to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.
Certificate label	None	Personal certificate to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.
Enable disk failover	Disabled	If enabled, audit events are logged to a local disk file when an error occurs during the SSL connection to the remote syslog server. If we enable disk failover the audit events are logged to local disk files that follow the naming pattern ISAMAudit0.log.nn, where nn is a number that uniquely identifies a local disk file. The local disk file can be viewed at the same location as the local syslog server audit logs.

Field	Default Value	Description
Event Queue Size	1000	Maximum number of audit events the event queue can hold. Syslog messages are queued in the memory before they are sent to the syslog server.
Queue Full Timeout (seconds)	-1	Number of seconds to wait before an incoming event is discarded when the queue is full. A value of 0 indicates that new events are discarded immediately if the queue is full. A value of -1 indicates that new events wait perpetually for the queue to have a vacancy.
Sender Threads	1	Number of sender threads, which drain the audit events from the queue to send to the syslog server.
Error Retry Count	2	Number of times the syslog client tries to establish a connection with the server again if it fails in the first attempt.