Send audit log data to a remote syslog server
The audit log collects data about ExtraHop system operations, broken down by component. The log stored on the system has a capacity of 10,000 entries, and entries older than 90 days are automatically removed. You can view these entries in the Administration settings, or you can send the audit log events to a syslog server for long-term storage, monitoring, and advanced analysis. All logged events are listed in the table below.
The following steps show you how to configure the ExtraHop system to send audit log data to a remote syslog server.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes by saving the Running Config file.Audit log events
The following events on an ExtraHop system generate an entry in the audit log.
Category | Event |
---|---|
Agreements |
|
API |
|
Sensor Migration |
|
Browser sessions |
|
Cloud Services |
|
Console |
|
Dashboards |
|
Datastore |
|
Detections |
|
Exception files |
|
ExtraHop recordstore records |
|
ExtraHop recordstore cluster |
|
ExtraHop Update Service |
|
Firmware |
|
Global Policies |
|
License |
|
Login to the ExtraHop system |
|
Login from SSH or REST API |
|
Network |
|
Offline capture |
|
PCAP |
|
Remote Access |
|
RPCAP |
|
Running Config |
|
SAML Identity Provider |
|
SAML login |
|
SAML privileges |
|
SSL decryption |
|
SSL session keys |
|
Support account |
|
Support Script |
|
Syslog |
|
System and service status |
|
System time |
|
System user |
|
Threat briefings |
|
ExtraHop packetstore |
|
Trends |
|
Triggers |
|
User Groups |
|
Thank you for your feedback. Can we contact you to ask follow up questions?