Auditing the System

The following topics describe how to audit activity on your system:

The System Log

The System Log (syslog) page provides you with system log information for the appliance.

You can audit activity on your system in two ways. The appliances that are part of the Firepower System generate an audit record for each user interaction with the web interface, and also record system status messages in the system log.

The system log displays each message generated by the system. The following items are listed in order:

  • the date that the message was generated

  • the time that the message was generated

  • the host that generated the message

  • the message itself

Viewing the System Log

System log information is local. For example, you cannot use the Firepower Management Center to view system status messages in the system logs on your managed devices.

You can filter messages using most syntax accepted by the UNIX file search utility Grep. This includes using Grep-compatible regular expressions for pattern matching.

Before you begin

You must be an Admin or Maintenace user and be in the Global domain to view system statistics.

Procedure


Step 1

Choose System > Monitoring > Syslog.

Step 2

To search for specific message content in the system log:

  1. Enter a word or query in the filter field as described in Syntax for System Log Filters.

    Only Grep-compatible search syntax is supported.

    Examples:

    To search for all log entries that contain the user name “Admin,” use Admin.

    To search for all log entries that are generated on November 27, use Nov[[:space:]]*27 or Nov.*27 (but not Nov 27 or Nov*27 ).

    To search for all log entries that contain authorization debugging information on November 5, use Nov[[:space:]]*5.*AUTH.*DEBUG.

  2. To make your search case-sensitive, select Case-sensitive. (By default, filters are not case-sensitive.)

  3. To search for all system log messages that do not meet the criteria you entered, select Exclusion.

  4. Click Go.


Syntax for System Log Filters

The following table shows the regular expression syntax you can use in System Log filters:

Table 1. System Log Filter Syntax

Syntax Component

Description

Example

.

Matches any character or white space

Admi. matches Admin, AdmiN, Admi1, and Admi&

[[:alpha:]]

Matches any alphabetic character

[[:alpha:]]dmin matches Admin, bdmin, and Cdmin

[[:upper:]]

Matches any uppercase alphabetic character

[[:upper:]]dmin matches Admin, Bdmin, and Cdmin

[[:lower:]]

Matches any lowercase alphabetic character

[[:lower:]]dmin matches admin, bdmin, and cdmin

[[:digit:]]

Matches any numeric character

[[:digit:]]dmin matches 0dmin, 1dmin, and 2dmin

[[:alnum:]]

Matches any alphanumeric character

[[:alnum:]]dmin matches 1dmin, admin, 2dmin, and bdmin

[[:space:]]

Matches any white space, including tabs

Feb[[:space:]]29 matches logs from February 29th

*

Matches zero or more instances of the character or expression it follows

ab* matches a, ab, abb, ca, cab, and cabb

[ab]* matches anything

?

Matches zero or one instances

ab? matches a or ab

\

Allows you to search for a character typically interpreted as regular expression syntax

alert\? matches alert?

About System Auditing

The appliances that are part of the Firepower System generate an audit record for each user interaction with the web interface.

Audit Records

Firepower Management Centers log read-only auditing information for user activity. Audit logs are presented in a standard event view that allows you to view, sort, and filter audit log messages based on any item in the audit view. You can easily delete and report on audit information and can view detailed reports of the changes that users make.

The audit log stores a maximum of 100,000 entries. When the number of audit log entries exceeds 100,000, the appliance prunes the oldest records from the database to reduce the number to 100,000.

Viewing Audit Records

On a Firepower Management Center, you can view a table of audit records. The predefined audit workflow includes a single table view of events. You can manipulate the table view depending on the information you are looking for. You can also create a custom workflow that displays only the information that matches your specific needs.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin user to perform this procedure.

Procedure

Step 1

Access the audit log workflow using System > Monitoring > Audit.

Step 2

If no events appear, you may need to adjust the time range. For more information, see Event Time Constraints.

Note

 

Events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.

Step 3

You have the following choices:

  • To learn more about the contents of the columns in the table, see The System Log.
  • To sort and constrain events on the current workflow page, see Using Table View Pages.
  • To navigate between pages in the current workflow, keeping the current constraints, click the appropriate page link at the top left of the workflow page. For more information, see Using Workflows.
  • To drill down to the next page in the workflow, see Using Drill-Down Pages.
  • To constrain on a specific value, click a value within a row. If you click a value on a drill-down page, you move to the next page and constrain on the value. Note that clicking a value within a row in a table view constrains the table view and does not drill down to the next page. See Event View Constraints for more information.

    Tip

     

    Table views always include “Table View” in the page name.

  • To delete audit records, check the check boxes next to events you want to delete, then click Delete, or click Delete All to delete all events in the current constrained view.
  • To bookmark the current page so you can quickly return to it, click Bookmark This Page. For more information, see Bookmarks.
  • To navigate to the bookmark management page, click View Bookmarks. For more information, see Bookmarks.
  • To generate a report based on the data in the current view, click Report Designer. For more information, see Creating a Report Template from an Event View.
  • To view a summary of a change recorded in the audit log, click Compare next to applicable events in the Message column. For more information, see Using the Audit Log to Examine Changes.

Audit Log Workflow Fields

The following table describes the audit log fields that can be viewed and searched.

Table 2. Audit Log Fields

Field

Description

Time

Time and date that the appliance generated the audit record.

User

User name of the user that triggered the audit event.

Subsystem

The full menu path the user followed to generate the audit record. For example, System > Monitoring > Audit is the menu path to view the audit log.

In a few cases where a menu path is not relevant, the Subsystem field displays only the event type. For example, Login classifies user login attempts.

Message

The action the user performed or the button the user clicked on the page.

For example, Page View signifies that the user simply viewed the page indicated in the Subsystem, while Save means that the user clicked the Save button on the page.

Changes made to the Firepower System appear with a Compare icon that you can click to see a summary of the changes.

Source IP

IP address associated with the host used by the user.

Note: When searching this field you must type a specific IP address; you cannot use IP ranges when searching audit logs.

Domain

The current domain of the user when the audit event was triggered. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Configuration Change

(search only)

Specifies whether to view audit records of configuration changes in the search results. (yes or no)

Count

The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. This field is not searchable.

The Audit Events Table View

You can change the layout of the event view or constrain the events in the view by a field value. When disabling columns, after you click the Close (close icon) in the column heading that you want to hide, in the pop-up window that appears, click Apply. When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added.

To hide or show other columns, or to add a disabled column back to the view, select or clear the appropriate check boxes before you click Apply.

Clicking a value within a row in a table view constrains the table view and does not drill down to the next page in the workflow.


Tip


Table views always include “Table View” in the page name.


Using the Audit Log to Examine Changes

You can use the audit log to view detailed reports of some of the changes to your system. These reports compare the current configuration of your system to its most recent configuration before a supported change was made.

The Compare Configurations page displays the differences between the system configuration before changes and the running configuration in a side-by-side format. The audit event type, time of last modification, and name of the user who made the change are displayed in the title bar above each configuration.

Differences between the two configurations are highlighted:

  • Blue indicates that the highlighted setting is different in the two configurations, and the difference is noted in red text.

  • Green indicates that the highlighted setting appears in one configuration but not the other.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin user to perform this procedure.

Procedure

Step 1

Choose System > Monitoring > Audit.

Step 2

Click Compare next to an applicable audit log event in the Message column.

Tip

 

You can navigate through changes individually by clicking Previous or Next above the title bar. If the change summary is more than one page long, you can also use the scroll bar on the right to view additional changes.


Suppressing Audit Records

If your auditing policy does not require that you audit specific types of user interactions with the Firepower System, you can prevent those interactions from generating audit records. For example, by default, each time a user views the online help, the Firepower System generates an audit record. If you do not need to keep a record of these interactions, you can automatically suppress them.

To configure audit event suppression, you must have access to an appliance’s admin user account, and you must be able to either access the appliance’s console or open a secure shell.


Caution


Make sure that only authorized personnel have access to the appliance and to its admin account.


Before you begin

You must be an Admin user to perform this procedure.

Procedure

In the /etc/sf directory, create one or more AuditBlock files in the following form, where type is one of the types described in Audit Block Types:

AuditBlock.type

Note

 

If you create an AuditBlock.type file for a specific type of audit message, but later decide that you no longer want to suppress them, you must delete the contents of the AuditBlock.type file but leave the file itself on the Firepower System.


Audit Block Types

The contents for each audit block type must be in a specific format, as described in the following table. Make sure you use the correct capitalization for the file names. Note also that the contents of the files are case sensitive.

Note that when you add an AuditBlock file, an audit record with a subsystem of Audit and a message of Audit Filter type Changed is added to the audit events. For security reasons, this audit record cannot be suppressed.

Table 3. Audit Block Types

Type

Description

Address

Create a file named AuditBlock.address and include, one per line, each IP address that you want to suppress from the audit log. You can use partial IP addresses provided that they map from the beginning of the address. For example, the partial address 10.1.1 matches addresses from 10.1.1.0 through 10.1.1.255.

Message

Create a file named AuditBlock.message and include, one per line, the message substrings that you want to suppress.

Note that substrings are matched so that if you include backup in your file, all messages that include the word backup are suppressed.

Subsystem

Create a file named AuditBlock.subsystem and include, one per line, each subsystem that you want to suppress.

Note that substrings are not matched. You must use exact strings. See Audited Subsystems for a list of subsystems that are audited.

User

Create a file named AuditBlock.user and include, one per line, each user account that you want to suppress. You can use partial string matching provided that they map from the beginning of the username. For example, the partial username IPSAnalyst matches the user names IPSAnalyst1 and IPSAnalyst2.

Audited Subsystems

The following table lists audited subsystems.

Table 4. Subsystem Names

Name

Includes user interactions with...

Admin

Administrative features such as system and access configuration, time synchronization, backup and restore, device management, user account management, and scheduling

Alerting

Alerting functions such as email, SNMP, and syslog alerting

Audit Log

Audit event views

Audit Log Search

Audit event searches

Command Line

Command line interface

Configuration

Email alerting

contextual cross-launch

External resources added to the system or accessed from dashboards and event views

COOP

Continuity of operations feature

Date

Date and time range for event views

Default Subsystem

Options that do not have assigned subsystems

Detection & Prevention Policy

Menu options for intrusion policies

Error

System-level errors

eStreamer

eStreamer configuration

EULA

Reviewing the end user license agreement

Events

Intrusion and discovery event views

Events Clipboard

Intrusion event clipboard

Events Reviewed

Reviewed intrusion events

Events Search

Any event search

Failed to install rule update rule_update_id

Installing rule updates

Header

Initial presentation of the user interface after a user logs in

Health

Health monitoring

Health Events

Health monitoring event views

Help

Online help

High Availability

Establishing and managing Firepower Management Centers in high availability pairs

IDS Impact Flag

Impact flag configuration for intrusion events

IDS Policy

Intrusion policies

IDSRule sid:sig_id rev:rev_num

Intrusion rules by SID

Incidents

Intrusion incidents

Install

Installing updates

Intrusion Events

Intrusion events

Login

Web interface login and logout functions

Logout

Web interface logout functions

Menu

Any menu option

Configuration export > config_type > config_name

Importing configurations of a specific type and name

Permission Escalation

User role escalation

Preferences

User preferences, such as the time zone for a user account and individual event preferences

Policy

Any policy, including intrusion policies

Register

Registering devices on a FMC

RemoteStorageDevice

Configuring remote storage devices

Reports

Report listing and report designer features

Rules

Intrusion rules, including the intrusion rules editor and the rule importation process

Rule Update Import Log

Viewing the rule update import log

Rule Update Install

Installing rule updates

Session Expiration

Web interface session timeouts

Status

Syslog, as well as host and performance statistics

System

Various system-wide settings

Task Queue

Viewing background process status

Users

Creating and modifying user accounts and roles