Send audit log data to a remote syslog server
The ExtraHop appliance audit log provides 90 days of lookback data about the operations of the system, broken down by component. You can view the audit log entries in the Admin UI or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the Audit log events table below.
The following steps show you how to configure the ExtraHop appliance to send audit log data to a remote syslog server.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.Audit log events
The following events on an ExtraHop appliance generate an entry in the audit log.
Category | Event |
---|---|
Login from Web UI or Admin UI |
|
Login from SSH or REST API |
|
Running Config | The running configuration file changes |
Support Pack |
|
System and service status |
|
Network |
|
Browser sessions |
|
Support account |
|
System time |
|
Firmware |
|
License |
|
Command appliance |
|
Agreements | A EULA or POC agreement is agreed to |
SSL decryption | An SSL decryption key is saved |
Appliance user |
|
API |
|
Triggers |
|
Dashboards |
|
Trends | A trend is reset |
PCAP | A packet capture (PCAP) is downloaded |
RPCAP |
|
Syslog | Remote syslog settings are updated |
Support account |
|
Atlas |
|
Datastore |
|
Offline capture | An offline capture is loaded |
Exception files | An exception file is deleted |
Explore cluster |
|
Explore appliance records | All Explore appliance records are deleted |
Trace appliance |
|
Trace appliance packetstore | A Trace appliance packetstore is reset. |
Thank you for your feedback. Can we contact you to ask follow up questions?