Send audit log data to a remote syslog server

The ExtraHop system audit log provides 90 days of lookback data about the operations of the system, broken down by component. You can view the audit log entries in the Admin UI or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the Audit log events table below.

The following steps show you how to configure the ExtraHop system to send audit log data to a remote syslog server.

  1. Log in to the Administration page on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the Status and Diagnostics section, click Audit Log.
  3. Click Configure Syslog Settings.
  4. In the Destination field, type the IP address of the remote syslog server.
  5. From the Protocol drop-down menu, select TCP or UDP. This option specifies the protocol over which the information is sent to your remote syslog server.
  6. In the Port field, type the port number for your remote syslog server. By default, this value is set to 514.
  7. Click Test Settings to verify that your syslog settings are correct. If the settings are correct, you should see an entry in the syslog log file on the syslog server similar to the following:
    Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
  8. Click Save.

Next steps

After you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.

Audit log events

The following events on an ExtraHop system generate an entry in the audit log.

Category Event
  • A EULA or POC agreement is agreed to
  • An API key is created
  • An API key is deleted
Appliance Migration
  • An appliance migration is started
  • An appliance migration succeeded
  • An appliance migration failed
System user
  • A user is added
  • User metadata is edited
  • A user is deleted
  • A user password is set
  • A user other than the setup user attempts to modify the password of another user
  • A user password is updated
Browser sessions
  • A specific browser session is deleted
  • All browser sessions are deleted
Command appliance
  • A Discover appliance connects to a Command appliance
  • A Discover appliance disconnects from a Command appliance
  • An Explore or Trace appliance establishes a tunneled connection to a Command appliance
  • Command appliance information is set
  • A Command nickname is set
  • Enable or disable a Discover appliance
  • The Discover appliance Web UI is remotely viewed
  • A license for a Discover appliance is checked by a Command appliance
  • A license for a Discover appliance is set by a Command appliance
  • A dashboard is created
  • A dashboard is renamed
  • A dashboard is deleted
  • A dashboard permalink, also known as a short code, is modified
  • Dashboard sharing options are modified
  • The extended datastore configuration is modified
  • The datastore is reset
  • A datastore reset completed
  • Customizations are saved
  • Customizations are restored
  • Customizations are deleted
  • A detection is acknowledged
  • A detection acknowledgement is reset
  • A detection rule is added
  • A detection rule description is updated
  • A detection rule is enabled
  • A detection rule is disabled
  • A detection rule is extended
Remote Access
  • Remote access for ExtraHop Support Team is enabled.
  • Remote access for ExtraHop Support Team is disabled.
  • Remote access for ExtraHop Atlas Analysts is enabled.
  • Remote access for ExtraHop Atlas Analysts is disabled.
  • Remote access for ExtraHop Support is enabled.
  • Remote access for ExtraHop Support is disabled.
Exception files
  • An exception file is deleted
Explore appliance records
  • All Explore appliance records are deleted
Explore cluster
  • A new Explore node is initialized
  • A node is added to an Explore cluster
  • A node is removed from an Explore cluster
  • A node joins an Explore cluster
  • A node leaves an Explore cluster
  • A Discover or Command appliance is paired to an Explore appliance
  • A Discover or Command appliance is unpaired from an Explore appliance
  • An Explore node is removed or missing, but not through a supported interface
ExtraHop Update Service
  • A detection category is updated
  • A detection definition is updated
  • A detection trigger is updated
  • A ransomware definition is updated
  • Detection metadata is updated
  • Expanded detection content is updated
  • Firmware is upgraded
  • Archived firmware is deleted
  • A new static license is applied
  • License server connectivity is tested
  • A product key is registered with the license server
  • A new license is applied
Login from Web UI or Admin UI
  • A login succeeds
  • A login fails
Login from SSH or REST API
  • A login succeeds
  • A login fails
  • A network interface configuration is edited
  • The hostname or DNS setting is changed
  • A network interface route is changed
Offline capture
  • An offline capture file is loaded
  • A packet capture (PCAP) file is downloaded
  • An RPCAP configuration is added
  • An RPCAP configuration is deleted
Running Config
  • The running configuration file changes
SAML Identity Provider
  • An identity provider is added
  • An identity provider is modified
  • An identity provider is deleted
SAML login
  • A login succeeds
  • A login fails
SSL decryption
  • An SSL decryption key is saved
SSL session keys
  • A PCAP session key is downloaded
Support account
  • The support account is disabled
  • The support account is enabled
  • The support SSH key is regenerated
Support Script
  • A default support script is running
  • A past support script result is deleted
  • A support script is uploaded
  • Remote syslog settings are updated
System and service status
  • The system starts up
  • The system shuts down
  • The system is restarted
  • The bridge, capture, or portal process is restarted
  • A system service is enabled (such as SNMP, web shell, management, SSH)
  • A system service is disabled (such as SNMP, web shell, /management, SSH)
System time
  • The system time is set
  • The system time is changed
  • The system time is set backwards
  • NTP servers are set
  • The time zone is set
  • A manual NTP synchronization is requested
Trace appliance
  • A new Trace appliance is initialized.
  • A Discover or Command appliance is connected to a Trace appliance.
  • A Discover or Command appliance is disconnected from a Trace appliance
Trace appliance packetstore
  • A Trace appliance packetstore is reset
  • A trend is reset
  • A trigger is added
  • A trigger is edited
  • A trigger is deleted
User Groups
  • A local user group is created
  • A local user group is deleted
  • A local user group is enabled
  • A local user group is disabled
Published 2022-09-22