Send the Cortex XSOAR audit trail to an external log service by adding custom server configurations.
Organizations that are required to implement centralized logging for compliance and monitor requirements benefit from the syslog export.
Note
By default, audit logs are retained for 365 days on the server. If you are sending logs to an external syslog, you may want to limit the retention on the server to a shorter period of time, such as 90 days., using the demisto.audits.purge.retention
server configuration. For more information, see Audit Trail.
To send the Cortex XSOAR audit trail to an external log service, you create several custom server configurations.
Select
→ → → .Add the following required keys and values:
Key
Value
Required
syslog.enabled
true
Required
syslog.protocol
tcp
udp
tcp+tls
unix
Default:
unix
(for localhost syslogging)Required
syslog.host
<syslog server>
Required. This key is not required for UNIX protocol.
syslog.port
<destination port>
Required. This key is not required for UNIX protocol.
syslog.tag
Default is Demisto.<syslog tag>
Optional
syslog.format
RFC3164
RFC5424
Default is empty, which uses a custom format that is a combination of both formats.
Optional
syslog.filter
<object/action>
Optional
syslog.priority
Default is a number for LOG_INFO with LOG_DAEMON. If you want to change the default, contact Cortex XSOAR Customer Support.
Optional
(Optional) To modify the facility level of syslogs, in the
syslog.priority
parameter, add the facility and severity levels and the resulting number in the following format:<severity level>
|<facility level>
=<resulting number>
.For example, to view
informational
messages for log levellocal7
add the6|184=190
value.Where as
6 = severity level (
informational
)184 = facility level (
local7
), calculated by 23*8190 = total of the severity and facility levels
For information about the syslog facility and severity levels, see What are Syslog Facilities and Levels
Example
In this example, we want to match audit trail entries of login success
and login failure
. To accomplish this, we set the syslog.filter
parameter to login/.*
.
Sample Syslog
CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|failure|3|suser=john startTime=1521835930684963 cs1=john cs1Label=identifier cs2=Cookie: [hsfirstvisit\=http%3A%2F%2Flocalhost%3A7070%2F||1464113050169; _ga\=GA1.1.296351272.1461620234; __hstc\=181257784.72e717e61ded2087506747f5da786796.1464113050173.1464122836548.1469409642245.3; __hssrc\=1; hubspotutk\=72e717e61ded2087506747f5da786796; local-theme\=light; XSRF-TOKEN\=AgF4Peo0Gqa8zlIB31fLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nReferer: [http://localhost:8080/]\n\nAccept: [application/json]\n\nX-Xsrf-Token: [AgF4Peo0Gqa8zlIBk1GLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nContent-Length: [142]\n\nAccept-Language: [en-US,en;q\=0.9,he;q\=0.8,ms;q\=0.7]\n\nContent-Type: [application/json]\n\nhost/ip: [::1]:62296\nConnection: [keep-alive]\n\nUser-Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36]\n\nApi_truncate_results: [true]\n\nOrigin: [http://localhost:8080]\n\nAccept-Encoding: [gzip, deflate, br]\n\nerror: Invalid credentials:Invalid username or password\nDnt: [1]\n cs2Label=details CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|in|3|suser=john startTime=1521835934123052 cs1=john cs1Label=identifier cs2=host/ip: [::1]:62296\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 cs2Label=details client: 127.0.0.1:57284 message: CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|out|3|suser=john startTime=1521835927224046 cs1=john cs1Label=identifier cs2=N/A cs2Label=details
Audit Trail Format
Cortex XSOAR audit trail details are formatted using Common Event Format (CEF) with custom CEF fields. The audit format is:
CEF:<CEFVersion>|<CEFVendor>|<CEFProduct>|<server version>|<audit category>|<action>|3|suser=<user> startTime=<audit log time> cs1=<id of item being audited> cs1Label=identifier cs2=<action info> cs2Label=details
For example, from the first log in the sample Syslog above:
<CEFVersion>
= 0
<CEFVendor>
= Palo Alto Networks
<CEFProduct>
= Palo Alto Networks Cortex XSOAR
<audit category>
= login (can be accounts, incidents, login, automation, and so on)
<action>
= failure (can be delete, create, add and so on)
<action info>
= 3 (can be any kind of additional info)