Logpoint Director generates audit logs, records that provide information on which events occurred and who (or what) caused them. These logs have digital footprints known as audit trails. These trails help trace the type of change, the user who made the change and the time of the change.
Logpoint generates and stores audit logs of all actions carried out in Search Master. A remote Syslog server receives these audit logs. The Syslog server can be a Logpoint instance or any other log receiving service. Once it collects the data, only users assigned the relevant roles can view it.
You can configure and view Logpoint audit logs by creating a device and configuring a Syslog collector. To learn more, go to Adding a Device.
The following device properties are specific to Audit Logs. It’s important that you configure these properties for Audit Logs to generate correctly.
Select _logpoint as Processing Policy for correct normalization of audit logs.
In Proxy Server, select None.
Note
Go to Devices to learn how to create a device. Go to Syslog Collectors to learn how to add a Syslog Collector to a device.
To view audit logs:
Go to Search from the navigation bar.
Enter the search query.
Click Search to view the audit logs.
By default, the logging level for audit logs of Search Master is Info. The logging level tracks and analyzes events. It identifies the type and severity of logged events based on the impact severity on users and how quickly an administrator should respond.
Example of query: label=”LPSM” device_ip=”10.94.128.39”
"2022-11-18T05:19:34.671356+00:00 LPSM-136 INFO: DirectorComponent=LPSM; pool; lists read; type=audit_log; user='admin'; source_address='10.94.128.39'; server_role=lpsm"