Configuring auditing on the appliance

Use the Audit Configuration feature to enable logging of audit events.

1. From the top menu, select Monitor Analysis and Diagnostics > Logs > Audit Configuration.
2. Select Enable audit log.
3. Specify the location of the syslog server.

   On this appliance

   Audit events are sent to a syslog server on this appliance. If you select the local syslog server, no additional mandatory configuration is needed. If you want to tune the default configuration settings, proceed to step 5.

   Note: If you configure auditing to use a local syslog server, see Viewing application log files, to view the audit logs.

   On a remote machine

   Audit events are sent to a syslog server on a remote machine. If you select a syslog server on a remote machine, you might need to specify some or all of the following information:

   Table 1. Syslog server remote machine configuration values.

   Field	Default Values	Description
   Host	None	Specifies the host name of the syslog server.
   Port	514	Specifies the port of the syslog server.
   Protocol	UDP Note: Though UDP is the default value, use TLS. TLS is the preferred protocol for production environments.	Specifies the type of transport protocol to use to transmit syslog messages.
   Certificate database (truststore)	None	Specifies the truststore to use to validate the certificate of the syslog server. This field is enabled only when the transport layer protocol type selected is TLS.
   Enable client certificate authentication	Disabled	If enabled, the client is able to do client certificate authentication during the SSL handshake upon server request.
   Certificate database (keystore)	None	Specifies the keystore to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.
   Certificate label	None	Specifies the personal certificate to use for client certificate authentication. This field is enabled only when the enable client certificate authentication is selected.
   Enable disk failover	Disabled	If enabled, audit events are logged to a local disk file when an error occurs during the SSL connection to the remote syslog server. Note: If you enable disk failover the audit events are logged to local disk files that follow the naming pattern ISAMAudit0.log.nn, where nn is a number that uniquely identifies a local disk file. The local disk file can be viewed at the same location as the local syslog server audit logs.

4. If you choose to use default values for tuning, you can complete the configuration by clicking Save. Otherwise, proceed with the subsequent steps. If you want to discard the changes you made, click Refresh.
5. Optional: Click Tuning. Provide the following information:

   Table 2. Audit tuning values

   Field	Default Value	Description
   Event Queue Size	1000	Specifies the maximum number of audit events that the event queue can hold. Syslog messages are queued in the memory before they are sent to the syslog server.
   Queue Full Timeout (seconds)	-1	Specifies the number of seconds to wait before an incoming event is discarded when the queue is full. A value of 0 indicates that new events are discarded immediately if the queue is full. A value of -1 indicates that new events wait perpetually for the queue to have a vacancy.
   Sender Threads	1	Specifies the number of sender threads, which drain the audit events from the queue to send to the syslog server.
   Error Retry Count	2	Specifies the number of times the syslog client tries to establish a connection with the server again if it fails in the first attempt.

6. Click Save. Otherwise, click Refresh to discard the changes you made.