Cisco Cisco Firepower Management Center 2000
56-8
FireSIGHT System User Guide
Chapter 56 Auditing the System
Managing Audit Records
Differences between the two configurations are highlighted:
•
Blue indicates that the highlighted setting is different in the two configurations, and the difference
is noted in red text.
is noted in red text.
•
Green indicates that the highlighted setting appears in one configuration but not the other.
To examine a change in the audit log:
Access:
Admin
Step 1
Select
System > Monitoring > Audit
.
The first page of the default audit log workflow appears.
If you are using a custom workflow that does not include the table view of audit events, click
(switch
workflow)
, then select
Audit Log
.
Step 2
Click the compare icon (
) next to an applicable audit log event in the
Message
column.
The Compare Configurations page appears. Note that you can navigate through changes individually by
clicking
clicking
Previous
or
Next
above the title bar. If the change summary is more than one page long, you can
also use the scroll bar on the right to view additional changes.
Searching Audit Records
License:
Any
You can search audit records to find information specific to a user, a specific subsystem, or an audit
record message.
record message.
You may want to create searches customized for your network environment, then save them to reuse later.
The search criteria you can use are described in the following table. Note that audit searches are not case
sensitive. For example, searching for
The search criteria you can use are described in the following table. Note that audit searches are not case
sensitive. For example, searching for
Analyst01
or
analyst01
yields the same results.
Table 56-5
Audit Record Search Criteria
Search Field
Description
Example
User
Enter the user name of the user who triggered
the audit events you want to see. You can use an
asterisk (
the audit events you want to see. You can use an
asterisk (
*
) as a wildcard character in this field.
jsmith
returns all audit records involving the
user jsmith.
Subsystem
Enter the full menu path a user would follow to
generate the audit records you want to see. You
can use an asterisk (
generate the audit records you want to see. You
can use an asterisk (
*
) as a wildcard character in
this field.
System > Monitoring > Audit
and
*Audit
both return audit records that involve using the
audit log.
audit log.
*Audit*
returns all of the above records, plus
records that involve searching for audit records.
Message
The action the user performed or the button the
user clicked on the page. You can use an
asterisk (
user clicked on the page. You can use an
asterisk (
*
) as a wildcard character in this field.
Apply
returns audit records where the user
applied an intrusion policy.
Save Rule
returns audit records where the user
saved a correlation rule.
Page View
returns audit records where the user
viewed the page.