Jump to content

Archived

This topic is now archived and is closed to further replies.

Jean M

Onprem Security Management Center - Audit Logging

Recommended Posts

Hi,

I wanted to know if there is any audit log for the SMC that would contain for example:

- User authentication on SMC server web interface

- User actions like triggered tasks, etc.

I tried to look in

/var/log/eset/RemoteAdministrator/Server/trace.log

But it is rather verbose and I couldn't find what I needed.

Thanks,
Jean Mousinho

Share this post


Link to post
Share on other sites

There is audit log accessible via standard reports mechanisms -> please check predefined reports where you should find audit log containing exactly what you are searching for.

Share this post


Link to post
Share on other sites

Great. That's exactly what we wanted.

I noticed that it logs a lot of:

2019 Oct 2 10:53:52
Update modules
Update
Modules successfully updated.
Success
System user
system
yes

It is occurring every minute. Is it possible to filter out this message somehow?

Thanks!

 

Share this post


Link to post
Share on other sites

It is possible to clone this report template and check whether there is possibility to extend it with filters, but I think set of possible filters was very limited in ESMC 7.0 and it will be improved in upcoming version.

Just to be sure, it seems that you set updates of your ESMC to happen every minute - is this correct and expected configuration? This parameter is configured in ESMC's settings in console, and default value is 6 hours as modules for ESMC are not released very often (it is not related to antivirus updates which happen multiple times a day).

Share this post


Link to post
Share on other sites

Exactly, I was looking for a setting to configure that interval but couldn't find it. With your description I was able to find it and it was in fact set to 1min! Probably by mistake..

One suggestion. We noticed that run commands logged in this audit report are not showing what command is being executed (a detail information from the command), at least from what we know. This is an important audit information as you should understand. We'd say that this should show at least in the audit events related to when we change the run command user task configuration (that's when that information is set). Certainly it could imply changes in the amount of information stored in the audit.

Thanks!

Share this post


Link to post
Share on other sites

I was looking for other ways of getting this information (knowing what commands were run by a certain user of SMC Console), do you have any suggestion?

The audit provides runTask logs and change task logs, but no information on the command. Looking at specific computer details, we see a list of events but for the run task we can only see the most recent command assigned to the task.

Thanks.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...