search cancel

Auditing and monitoring system changes in Security Analytics


Article ID: 212621


Updated On:


Security Analytics


As with any software system, the need to monitor logs and audit changes is a common practice for system administrators.  Watching for admin-level changes either through the GUI or from a command line is standard procedure.


There are a few sources for change logs in Security Analytics.  Most changes are recorded in /var/log/messages.  You can search for the keyword DEEPSEE in the file.  These messages are easier to read but only show the changes made at an application level. All file changes made by the appliance are recorded in /var/log/audit.  The audit logs are extremely detailed but hard to read.

It is recommended to use the GUI to look at the audit logs.  You can access the audit logs by going to the 'Information' icon in the upper right corner and selecting Audit Log.  Details on how to manipulate the audit log can be found in the Security Analytics online documentation in the Logging and Communication section.

If you have any specific questions about messages in either the audit log or /var/log/messages, you can contact technical support.

Additional Information

For information on how Security Analytics rotates the audit log, see this article: How the audit log rotates in Security Analytics