Security Logs and Reviews

Prognosis creates log entries for users logging in, starting, stopping, and changing configurations. and sometimes details of how a process is configured.

The primary source of events is an Audit Log that captures events locally or forwards them in syslog format to a central location via UDP, TCP, or TLS over TCP, so they can be imported into an organization’s Security Information and Event Management (SIEM) system.

However, the following events are not logged, individual activities of a user performing informational queries, interacting with a display including the issuance of commands, or specifically what changed in a configuration.

Recommendations

In all environments, the following approach is recommended:

  • Understand the logs that are available.

  • Review audit logs, as needed, or when an incident occurs that requires investigation.

In high security environments, the following additional actions are recommended:

  • Forward output from all relevant logs to a central SIEM system for monitoring. For the Audit Log, use the built-in Syslog feature where possible. For other logs, forward the file content to the SIEM system periodically.

  • When configuring the Audit Log to be forwarded via Syslog over TCP/IP, enable TLS on the outgoing connection.

Log Details

The various log files provided are discussed in the following pages.

For details see the following sections:
Provide feedback on this article