circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Audit Logs

Audit logs provide information on what events occurred and who (or what) caused them. You can generate different audit logs for different Director Console events and security records. These logs have digital footprints known as audit trails. These trails help trace the type of change, the user who made the change and the time of the change.

hashtag
Viewing Audit Logs

Logpoint generates audit logs relating to user management, installation & uninstallation, license upload & report generation, clicked action tasks and Director Console login attempts. A remote Syslog server receives these audit logs. The Syslog server can be a Logpoint instance or any other log receiving service. Once it collects the data, only users assigned the relevant roles can view it.

Audit logs also include licensing logs and API calls.

You can configure and view Logpoint audit logs by creating a device and configuring a syslog collector. To learn more, go to Adding a Device.

The following device properties are specific to Audit Logs. It’s important that you configure these properties for Audit Logs to generate correctly.

  • Select _logpoint as Processing Policy for correct normalization of audit logs.

  • In Proxy Server, select None.

circle-info

Go to Devices to learn how to create a device on a Fabric-enabled Logpoint using Director Console. Go to Syslog Collectors to learn how to add a Syslog Collector to a device.

To view audit logs:

  1. Go to Search from the navigation bar.

  2. Enter the search query.

  3. Click Search to view the audit logs.

circle-info

You cannot view Director Console audit logs if you have not configured the remote Syslog server. To configure the remote Syslog server, execute the following command as the cmdr-admin from the API:

change-rsyslogip

Enter the IP address of the Logpoint where you want to view the audit logs in the **Remote Syslog Server** and click **OK**.

Example of query: label=”DirectorConsole”

Viewing Audit Logs

Director Console audit logs include the DirectorComponent field which provides the DirectorConsole as a field value.

Examples of Director Console audit logs include:

Actions/Events

Components

Sample Logs

Upload License

License Management

2023-01-03T03:54:12.109000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; status=install license; user=root; source_address=10.94.128.12;

Generate PDF License Report

License Management

2023-01-03T03:58:36.708000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; status=download report; entityType=Director License; user=root; from=2023-01-01; to=2023-03-31; reportType=Q1; pool=ksipool;

Generate CSV License Report

License Management

2023-01-03T04:01:03.151000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; source_address=10.94.128.12; user=ksi; authType=dc_auth; status=export license report as CSV success; from=2023-01-01; to=2023-03-31;

Upload Patch File

Assets Management

2023-01-02T05:59:20.792000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=logpoint_7.0.1.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install Patch File

Assets Management

2023-01-03T04:57:14.749000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=logpoint_7.2.0.102.pak; pool=ksipool; machine=LogPoint202; status=Install; assetType=PATCH; user=ksi; source_address=10.94.128.79;

Upload Normalization Package File

Assets Management

2023-01-02T04:47:23.564000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=normpackage.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install Normalization Package

Assets Management

2023-01-02T04:59:38.488000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=normpackage.pak; pool=ksipool; machine=LogPoint204; status=Install; assetType=NORMALIZATION PACKAGE; user=ksi; source_address=10.94.128.62;

Upload Plugins Package File

Assets Management

2023-01-02T05:01:41.918000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=CiscoUmbrella_5.2.0.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install Plugins Package

Assets Management

2023-01-02T05:02:37.419000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=CiscoUmbrella_5.2.0.pak; pool=ksipool; machine=LogPoint204; status=Install; assetType=PLUGIN; user=ksi; source_address=10.94.128.62;

Upload Label Package File

Assets Management

2023-01-02T05:04:41.424000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=ksi_label.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install Label Package

Assets Management

2023-01-02T05:05:38.394000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=ksi_label.pak; pool=ksipool; machine=LogPoint204; status=Install; assetType=LABEL PACKAGE; user=ksi; source_address=10.94.128.62;

Upload IPLookup Package File

Assets Management

2023-01-02T05:06:58.843000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=IP.csv; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install IPLookup Package File

Assets Management

2023-01-02T05:08:50.796000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=IP.csv; pool=ksipool; machine=LogPoint204; status=Install; assetType=IPLOOKUP; user=ksi; source_address=10.94.128.62;

Upload List Package File

Assets Management

2023-01-02T05:50:31.590000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=listpak.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install List Package File

Assets Management

2023-01-02T05:51:44.098000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=listpak.pak; pool=ksipool; machine=LogPoint204; status=Install; assetType=LISTS; user=ksi; source_address=10.94.128.62;

Uninstall Plugins Package

Assets Management

2023-01-02T05:12:33.567000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=Applications; pool=ksipool; machine=LogPoint204; status=Uninstall; assetType=PLUGIN; user=ksi; source_address=10.94.128.62;

Asset Delete

Assets Management

2023-01-02T05:14:40.672000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=CiscoUmbrella_5.2.0.pak; status=Delete; assetType=Asset; user=ksi; source_address=10.94.128.62;

Configure Plugin

Plugin

2023-01-02T05:17:56.796000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=STIX/TAXII Enrichment Source-6.0.0; pool=ksipool; machine=LogPoint204; status=create; entityType=Plugins; pluginType=StixTaxiiEnrichmentSource; source_address=10.94.128.62;

Edit Plugin

Plugin

2023-01-02T05:19:28.150000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=STIX/TAXII Enrichment Source-6.0.0; pool=ksipool; machine=LogPoint204; status=change; entityType=Plugins; pluginType=StixTaxiiEnrichmentSource; source_address=10.94.128.62;

Delete Plugin Configuration

Plugin

2023-01-02T05:21:23.418000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=ThreatIntelligence-6.1.0; pool=ksipool; machine=LogPoint204; status=delete; entityType=Plugins; pluginType=ThreatIntelligence; source_address=10.94.128.62;

Download Report

Entities

2023-01-03T04:31:25.121000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; status=download report; entityType=Devices; user=ksi; reportType=Create; pool=ksipool; machine=74388e040fd742928277685bfb5e8c99;

Download Report

Operations

2023-01-03T04:23:19.941000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; status=download report; entityType=CreateBackup; user=ksi; reportType=Operations; pool=ksipool; machine=74388e040fd742928277685bfb5e8c99;

Retry Operation

Tasks Page

2023-01-02T05:47:25.505000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; entityType=NormalizationPackage; machine=LogPoint204; status=Retry;

Upload UEBA License

UEBA

2023-01-02T06:24:24.768000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=uebalicense201.pak; user=ksi; status=Upload; entityType=Asset; source_address=10.94.128.62;

Install UEBA License

UEBA

2023-01-03T05:14:08.377000+00:00 api217.logpoint.local INFO: DirectorConsole; DirectorConsoleLog; DirectorComponent=DirectorConsole; type=audit_log; name=license1672722773.pak; pool=ksipool; machine=LogPoint202; status=Install; assetType=UEBA; user=ksi; source_address=10.94.128.79;

Last updated

Was this helpful?