Cisco Cisco Firepower Management Center 4000
56-5
FireSIGHT System User Guide
Chapter 56 Auditing the System
Managing Audit Records
Note that when you add an
AuditBlock
file, an audit record with a subsystem of
Audit
and a message
of
Audit Filter type Changed
is added to the audit events. For security reasons, this audit record
cannot be suppressed.
The following table lists audited subsystems.
Table 56-2
Audit Block Types
Type
Description
Address
Create a file named
AuditBlock.address
and include, one per line, each IP address
that you want to suppress from the audit log. You can use partial IP addresses
provided that they map from the beginning of the address. For example, the partial
address
provided that they map from the beginning of the address. For example, the partial
address
10.1.1
matches addresses from
10.1.1.0
through
10.1.1.255
.
Message
Create a file named
AuditBlock.message
and include, one per line, the message
substrings that you want to suppress.
Note that substrings are matched so that if you include
backup
in your file, all
messages that include the word
backup
are suppressed.
Subsystem
Create a file named
AuditBlock.subsystem
and include, one per line, each
subsystem that you want to suppress.
Note that substrings are not matched. You must use exact strings. See the
table for a list of subsystems that are audited.
User
Create a file named
AuditBlock.user
and include, one per line, each user account
that you want to suppress. You can use partial string matching provided that they
map from the beginning of the username. For example, the partial username
map from the beginning of the username. For example, the partial username
IPSAnalyst
matches the user names
IPSAnalyst1
and
IPSAnalyst2
.
Table 56-3
Subsystem Names
Name
Includes user interactions with...
Admin
Administrative features such as system and access configuration, time synchronization,
backup and restore, device management, user account management, and scheduling
backup and restore, device management, user account management, and scheduling
Alerting
Alerting functions such as email, SNMP, and syslog alerting
Audit Log
Audit event views
Audit Log Search
Audit event searches
Command Line
Command line interface
Configuration
Email alerting
COOP
Continuity of operations feature
Date
Date and time range for event views
Default Subsystem
Options that do not have assigned subsystems
Detection & Prevention Policy
Menu options for intrusion policies
Error
System-level errors
eStreamer
eStreamer configuration
EULA
Reviewing the end user license agreement
Events
Intrusion and discovery event views