Version:

Audit Logs

Audit logs are records of events and activities that occur within Logpoint. Logpoint generates various audit logs related to different events for security purposes. Only authorized users can access audit logs.

User management

  • Audit logs are generated when you add, edit, or delete users, user groups, and permissions.

  • Sample query to view the logs:

-label=LPSearch label=Logpoint label=User or (label=User label=Management) object=*
| latest by object, action | fields log_ts, user, object, type, action, source_address
../_images/LP_Audit_User_Management_Audit_Records.png

User Management Audit Logs

Identification and authentication

  • Audit logs are generated for login attempts, login success, login failures, and user lock/unlock.

  • Sample query to view the logs:

-label=LPSearch label=Logpoint label=Authentication user=*
| fields log_ts, user, object, type, action, source_address
../_images/LP_Audit_Identification_and_Authentication.png

Identification and Authentication Audit Logs

User actions

  • Audit logs are generated when you add, edit, or delete Knowledge Base items, Configuration items (Device, Device Group, Log Collection Policies, Repos, Distributed Logpoint), Search, Report, Dashboard, and Incident Management, and configure the UEBA Board.

  • Sample query to view the logs:

-label=LPSearch label=Logpoint
label=Configuration (label=Change or label=Add or label=Delete or label=Install or label=Mount)
| chart count() by log_ts, user, type, object, action
../_images/LP_Audit_User_Action.png

User Configuration Actions Audit logs

Inter-TSF trusted channel

  • Audit logs are generated when attempts are made to connect or disconnect from another Logpoint.

  • Sample query to view the logs:

-label=LPSearch label=Logpoint (label=Remote label=Connection) OR
(label=DLP (label=Connect OR label=Disconnect OR label=Initialize))
| chart count() by log_ts, type, object, user, action
../_images/LP_Audit_Inter_TSF.png

Inter-TSF Trusted Channel Audit Logs

System

  • Audit logs are generated when disk usage exceeds the predefined limit. The predefined limit for notification is 90% by default, and it is user-configurable. Audit logs are generated every hour.

  • Sample query to view the logs:

label=Logpoint label=Harddisk use=* | rename use as PercentageUsed
| fields log_ts, object, total, PercentageUsed
../_images/LP_Audit_System.png

Disk Usage Audit Logs

Selectable Audit Logs

To sort event data, follow these steps:

  1. After successful login, click Search from the top horizontal menu.

  2. Enter a valid query in the search query bar.

  3. Click the column header of the results table to sort the logs.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support