The ExtraHop appliance audit log provides 90 days of lookback data about the operations of the system, broken down by component. You can view the audit log entries in the Admin UI or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the Audit log events table below.
The following steps show you how to configure the ExtraHop appliance to send audit log data to a remote syslog server.
- Log into the Admin UI on the ExtraHop appliance.
- In the Status and Diagnostics section, click Audit Log.
- Click Configure Syslog Settings.
- In the Destination field, type the IP address of the remote syslog server.
- From the Protocol drop-down menu, select TCP or UDP. This option specifies the protocol over which the information is sent to your remote syslog server.
- In the Port field, type the port number for your remote syslog server. By default, this value is set to 514.
Click Test Settings to verify that your syslog settings
are correct. If the settings are correct, you should see an entry in the syslog
log file on the syslog server similar to the following:
Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
- Click Save.
Next stepsAfter you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.
The following events on an ExtraHop appliance generate an entry in the audit log.
|Login from Web UI or Admin UI||
|Login from SSH or REST API||
|Running Config||The running configuration file changes|
|System and service status||
|Agreements||A EULA or POC agreement is agreed to|
|SSL decryption||An SSL decryption key is saved|
|SSL session keys||A PCAP session key is downloaded|
|Trends||A trend is reset|
|PCAP||A packet capture (PCAP) is downloaded|
|Syslog||Remote syslog settings are updated|
|Offline capture||An offline capture is loaded|
|Exception files||An exception file is deleted|
|Explore appliance records||All Explore appliance records are deleted|
|Trace appliance packetstore||A Trace appliance packetstore is reset.|