Send audit log data to a remote syslog server
The ExtraHop appliance audit log provides 90 days of lookback data about the operations of the system, broken down by component. You can view the audit log entries in the Admin UI or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the Audit log events table below.
The following steps show you how to configure the ExtraHop appliance to send audit log data to a remote syslog server.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.Audit log events
The following events on an ExtraHop appliance generate an entry in the audit log.
Category | Event |
---|---|
Agreements |
|
API |
|
Appliance Migration |
|
Appliance user |
|
Atlas |
|
Browser sessions |
|
Command appliance |
|
Dashboards |
|
Datastore |
|
Detections |
|
Exception files |
|
Explore appliance records |
|
Explore cluster |
|
ExtraHop Update Service |
|
Firmware |
|
License |
|
Login from Web UI or Admin UI |
|
Login from SSH or REST API |
|
Network |
|
Offline capture |
|
PCAP |
|
RPCAP |
|
Running Config |
|
SAML Identity Provider |
|
SAML login |
|
SSL decryption |
|
SSL session keys |
|
Support account |
|
Support Script |
|
Syslog |
|
System and service status |
|
System time |
|
Trace appliance |
|
Trace appliance packetstore |
|
Trends |
|
Triggers |
|
Thank you for your feedback. Can we contact you to ask follow up questions?