ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Auditing and monitoring system changes in Security Analytics

book

Article ID: 212621

calendar_today

Updated On:

Products

Security Analytics Security Analytics - VA

Issue/Introduction

As with any software system, the need to monitor logs and audit changes is a common practice for system administrators.  Watching for admin-level changes either through the GUI or from a command line is standard procedure.

Resolution

There are a few sources for change logs in Security Analytics.  Most changes are recorded in /var/log/messages.  You can search for the keyword DEEPSEE in the file.  These messages are easier to read but only show the changes made at an application level. All file changes made by the appliance are recorded in /var/log/audit.  The audit logs are extremely detailed but hard to read.

It is recommended to use the GUI to look at the audit logs.  You can access the audit logs by going to the 'Information' icon in the upper right corner and selecting Audit Log.  Details on how to manipulate the audit log can be found in the Security Analytics online documentation in the Logging and Communication section.

If you have any specific questions about messages in either the audit log or /var/log/messages, you can contact Broadcom technical support.