Cisco Cisco Firepower Management Center 2000
56-4
FireSIGHT System User Guide
Chapter 56 Auditing the System
Managing Audit Records
You can change the layout of the event view or constrain the events in the view by a field value. When
disabling columns, after you click the close icon (
disabling columns, after you click the close icon (
) in the column heading that you want to hide, in
the pop-up window that appears, click
Apply
. When you disable a column, it is disabled for the duration
of your session (unless you add it back later). Note that when you disable the first column, the Count
column is added.
column is added.
To hide or show other columns, or to add a disabled column back to the view, select or clear the
appropriate check boxes before you click
appropriate check boxes before you click
Apply
.
Clicking a value within a row in a table view constrains the table view and does not drill down to the
next page.
next page.
Tip
Table views always include “Table View” in the page name.
For more information, see the following topics:
•
.
•
•
•
Suppressing Audit Records
License:
Any
If your auditing policy does not require that you audit specific types of user interactions with the
FireSIGHT System, you can prevent those interactions from generating audit records. For example, by
default, each time a user views the online help, the FireSIGHT System generates an audit record. If you
do not need to keep a record of these interactions, you can automatically suppress them.
FireSIGHT System, you can prevent those interactions from generating audit records. For example, by
default, each time a user views the online help, the FireSIGHT System generates an audit record. If you
do not need to keep a record of these interactions, you can automatically suppress them.
To configure audit event suppression, you must have access to an appliance’s
admin
user account, and
you must be able to either access the appliance’s console or open a secure shell.
Caution
Make sure that only authorized personnel have access to the appliance and to its
admin
account.
To suppress audit records, you must create one or more files in the
/etc/sf
directory in the following
form:
AuditBlock.type
where
type
is
address
,
message
,
subsystem
, or
user
.
Note
If you create an
AuditBlock.type
file for a specific type of audit message, but later decide that you no
longer want to suppress them, you must delete the contents of the
AuditBlock.type
file but leave the
file itself on the FireSIGHT System.
The contents for each audit block type must be in a specific format, as described in the following table.
Make sure you use the correct capitalization for the file names. Note also that the contents of the files
are case sensitive.
Make sure you use the correct capitalization for the file names. Note also that the contents of the files
are case sensitive.