Version:

Accessing Director Fabric Audit Logs

Director Fabric generates audit logs for Fabric Server and API Server. To view the audit logs, you must forward them to Logpoint or any Logpoint receiving client via Syslog collector.

Forwarding the Audit Logs

  1. Execute the change-rsyslogip command in the server whose logs you want to forward.

  2. Enter the IP address of Logpoint or the log receiving client that collects the audit logs forwarded from the server.

Note

You must individually forward the audit logs from the Fabric Server and the API Server.

Collecting Audit Logs in Logpoint

You can only add the Fabric Server and API Server as devices when Logpoint Fabric is disabled and configure them with a Syslog collector to collect the audit logs. To learn more, go to Adding a Device.

The following device properties are specific to Audit Logs. It’s important that you configure these properties for Audit Logs to generate correctly.

  • Enter the IP address(es) of the server whose logs you want to collect.

  • Select _logpoint as Processing Policy for correct normalization of audit logs.

  • In Proxy Server, select None.

Note

  • You must configure the devices for Fabric Servers and API Server individually.

  • You can also collect logs via a Fabric-enabled Logpoint. To collect the logs, you must configure the devices via Director Console API or Director Console UIA.

  • Go to Devices to learn how to create a device. Go to Syslog Collectors to learn how to add a Syslog Collector to a device.

Viewing Director Fabric Audit Logs

After configuring the device, you can view, search and order the Director Fabric audit logs using specific Logpoint search queries.

  1. Go to Search from the navigation bar.

  2. Enter the search query.

  3. Click Search to view the audit logs.

Examples of Director Fabric audit logs include:

Example 1: Fabric Proxy Audit Logs

event_source="fabric_proxy"
_images/DF_Audit_Logs_Fabric_Proxy.png

Fabric Proxy Audit Logs

Example 2: Fabric Storage Audit Logs

event_source="fabric_storage"
_images/DF_Audit_Logs_Fabric_Storage.png

Fabric Storage Audit Logs

Example 3: Fabric Authenticator Audit Logs

label="Preauthentication"
_images/DF_Audit_Logs_Fabric_Authenticator.png

Fabric Authenticator Audit Logs

Example 4: API Server Audit Logs

label="API"
_images/DF_Audit_Logs_API_Server.png

API Server Audit Logs

Example 5: Fabric Connect Audit Logs

"source_name"="/opt/immune/var/log/audit/api_config_service.log"
_images/DF_Audit_Logs_Fabric_Connect.png

Fabric Connect Audit Logs

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support