Configuring audit logging

You can configure the SOAR Platform to send audit log messages to the client.log file and to Syslog, if you configured Syslog.

About this task

Complete the following steps to enable audit logging on the SOAR Platform.

Procedure

  1. Start an SSH session to the SOAR system.
  2. Enter the following command to enable audit logging.
    sudo resutil audit -on
    A confirmation message is displayed, indicating that audit logging was successfully enabled.
    Command successful. The Audit Logging configuration is as follows
    Status: On    Type : Syslog    Host : localhost    Port : 514
    If you set up a remote Syslog server, enter an IP address and port number for the remote system.
    sudo resutil audit -on [-host hostname] [-port port]

    The SOAR Platform sends the logs by using UDP.

    If you do not specify a hostname or port number, the defaults are used. If you do not have Syslog set up, audit messages are logged to client.log only.

    The changes occur during run time.

    To see all options for the resutil audit command, enter the following command.
    sudo resutil audit -help
  3. Restart the syslog service.
    sudo systemctl restart rsyslog.service

Results

Audit messages are logged to the client.log file, which is located in the /usr/share/co3/logs directory. If you configured Syslog, the audit messages are logged to the default Syslog file in var/log/messages.
If you want to disable audit logging, enter the following command.
sudo resutil audit -off