Cisco Cisco Firepower Management Center 4000

Page of 1844
 
56-5
FireSIGHT System User Guide
 
Chapter 56      Auditing the System
  Managing Audit Records
Note that when you add an 
AuditBlock
 file, an audit record with a subsystem of 
Audit
 and a message 
of 
Audit Filter type Changed
 is added to the audit events. For security reasons, this audit record 
cannot be suppressed.
The following table lists audited subsystems.
Table 56-2
Audit Block Types 
Type
Description
Address
Create a file named 
AuditBlock.address
 and include, one per line, each IP address 
that you want to suppress from the audit log. You can use partial IP addresses 
provided that they map from the beginning of the address. For example, the partial 
address 
10.1.1
 matches addresses from 
10.1.1.0
 through 
10.1.1.255
.
Message
Create a file named 
AuditBlock.message
 and include, one per line, the message 
substrings that you want to suppress. 
Note that substrings are matched so that if you include 
backup
 in your file, all 
messages that include the word 
backup
 are suppressed.
Subsystem
Create a file named 
AuditBlock.subsystem
 and include, one per line, each 
subsystem that you want to suppress. 
Note that substrings are not matched. You must use exact strings. See the 
 table for a list of subsystems that are audited.
User
Create a file named 
AuditBlock.user
 and include, one per line, each user account 
that you want to suppress. You can use partial string matching provided that they 
map from the beginning of the username. For example, the partial username 
IPSAnalyst
 matches the user names 
IPSAnalyst1
 and 
IPSAnalyst2
.
Table 56-3
Subsystem Names 
Name
Includes user interactions with...
Admin
Administrative features such as system and access configuration, time synchronization, 
backup and restore, device management, user account management, and scheduling
Alerting
Alerting functions such as email, SNMP, and syslog alerting
Audit Log
Audit event views
Audit Log Search
Audit event searches
Command Line
Command line interface
Configuration
Email alerting
COOP
Continuity of operations feature
Date
Date and time range for event views
Default Subsystem
Options that do not have assigned subsystems
Detection & Prevention Policy
Menu options for intrusion policies
Error
System-level errors
eStreamer
eStreamer configuration
EULA
Reviewing the end user license agreement
Events
Intrusion and discovery event views