Auditing user and system usage in QRadar Incident Forensics
Audit logs are chronological records that identify user accounts that are associated with data access. These logs can detect unusual or unauthorized access can and can identify problems such as failed jobs.
The following activities generate
audit log events:
- Create case
- Assign Case
- Delete case
- Delete collection
- All user queries
- Document view
- Export document
Restriction: Logging create collection events
is not supported.
Procedure
- Use SSH to log on to the QRadar Console or QRadar Incident Forensics Standalone as an administrator.
- Go to the /var/log/audit directory.
- Open the audit.log file in an editor, such as vi, to review the contents or use the grep command to look for a specific entry.