Cisco Cisco FirePOWER Appliance 8390
56-7
FireSIGHT System User Guide
Chapter 56 Auditing the System
Managing Audit Records
Understanding the Audit Log Table
License:
Any
Each appliance generates an audit event for each user interaction with the web interface. Each event
includes a time stamp, the user name of the user whose action generated the event, a source IP, and text
describing the event. The fields in the audit log table are described in the following table.
includes a time stamp, the user name of the user whose action generated the event, a source IP, and text
describing the event. The fields in the audit log table are described in the following table.
Using the Audit Log to Examine Changes
License:
Any
You can use the audit log to view detailed reports of changes to your system. These reports compare the
current configuration of your system to its most recent configuration before a particular change.
current configuration of your system to its most recent configuration before a particular change.
A compare icon (
) appears next to audit log events that reflect changes to the system. You can click
the compare icon to access the Compare Configurations page and view a detailed report of a change.
The Compare Configurations page displays the differences between the system configuration before
changes and the running configuration in a side-by-side format. The audit event type, time of last
modification, and name of the user who made the change are displayed in the title bar above each
configuration.
changes and the running configuration in a side-by-side format. The audit event type, time of last
modification, and name of the user who made the change are displayed in the title bar above each
configuration.
Task Queue
Viewing the task queue
Users
Creating and modifying user accounts and roles
Table 56-3
Subsystem Names (continued)
Name
Includes user interactions with...
Table 56-4
Audit Log Fields
Field
Description
Time
Time and date that the appliance generated the audit record.
User
User name of the user that triggered the audit event.
Subsystem
Menu path the user followed to generate the audit record. For example,
System >
Monitoring > Audit
is the menu path to view the audit log.
In a few cases where a menu path is not relevant, the Subsystem field displays only the
event type. For example,
event type. For example,
Login
classifies user login attempts.
Message
Action the user performed.
For example,
Page View
signifies that the user simply viewed the page indicated in the
Subsystem, while
Save
means that the user clicked the
Save
button on the page.
Changes made to the FireSIGHT System appear with a compare icon (
) that you can
click to see a summary of the changes. For more information, see
Source IP
IP address associated with the host used by the user.
Count
The number of events that match the information that appears in each row. Note that the
Count field appears only after you apply a constraint that creates two or more identical
rows.
Count field appears only after you apply a constraint that creates two or more identical
rows.