Viewing the audit log file

Use Secure Shell (SSH) to log in to your IBM QRadar system and monitor changes to your system.

About this task

You can use Log Activity tab to view normalized audit log events.

The maximum size of any audit message, excluding date, time, and host name, is 1024 characters.

Each entry in the log file displays by using the following format:

<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>

The following table describes the log file format options.
Table 1. Description of the parts of the log file format

File format part

Description
date_time

The date and time of the activity in the format: Month Date HH:MM:SS
host name

The host name of the Console where this activity was logged.
user

The name of the user who changed the settings.
IP address

The IP address of the user who changed the settings.
thread ID)

The identifier of the Java™ thread that logged this activity.
category

The high-level category of this activity.
sub-categor

The low-level category of this activity.
action

The activity that occurred.
payload

The complete record, which might include the user record or event rule, that changed.

Procedure

  1. Using SSH, log in to QRadar as the root user:
  2. User Name: root
  3. Password: password
  4. Go to the following directory:

    /var/log/audit

  5. Open and view the audit log file.