You can configure the SOAR Platform to send
audit log messages to the client.log
file and to Syslog, if you configured
Syslog.
About this task
Complete the following steps to enable audit logging on the SOAR Platform.
Procedure
-
Start an SSH session to the SOAR system.
- Enter the following command to enable audit logging.
sudo resutil audit -on
A confirmation message is displayed, indicating that audit logging was successfully
enabled.
Command successful. The Audit Logging configuration is as follows
Status: On Type : Syslog Host : localhost Port : 514
If you set up a remote Syslog server, enter an IP address and port number for the remote
system.
sudo resutil audit -on [-host hostname] [-port port]
The SOAR Platform sends the logs by using UDP.
If you do not specify a hostname or port number, the defaults are used. If you do not have Syslog
set up, audit messages are logged to client.log
only.
The changes occur during run time.
To see all options for the
resutil audit
command, enter the following
command.
sudo resutil audit -help
- Restart the syslog service.
sudo systemctl restart rsyslog.service
Results
Audit messages are logged to the client.log
file,
which is located in the /usr/share/co3/logs
directory. If you configured Syslog,
the audit messages are logged to the default Syslog file in var/log/messages
.If
you want to disable audit logging, enter the following
command.
sudo resutil audit -off