Audit Logging

Overview

Atomic OSSEC (AEO) audit logging tracks user activity, administration, and configuration changes made to the AEO platform.

• Adminisrative User creation, deletion, modification

• User password, and profile changes

• Platform Configuration

• Asset management activity, including managing FIM, and IDS configurations

1.0 Viewing Audit logs

• Select Reporting

• Select Event Search

• Select atomicorp-audit from the Event Type drop down

2.0 Audit Log events

Rule ID 16500

• Level: 0

• Description: Atomicorp: Group rules

Rule ID 16501

• Level: 3

• Description: Atomicorp Audit: Successful login to Atomic OSSEC

Rule ID 16502

• Level: 5

• Description: Atomicorp Audit: Logon failure to Atomic OSSEC

Rule ID 16503

• Level: 7

• Description: Atomicorp Audit: Multiple logon failures to Atomic OSSEC from the same source. (3/60)

Rule ID 16504

• Level: 2

• Description: Atomicorp Audit: Logon failure to Atomic OSSEC for an unknown user

Rule ID 16505

• Level: 8

• Description: Atomicorp Audit: Multiple logon failures to Atomic OSSEC for an unknown user from the same source (5/60).

Rule ID 16506

• Level: 4

• Description: Atomicorp Audit: Successful Administrative login to Atomic OSSEC

Rule ID 16507

• Level: 2

• Description: Atomicorp Audit: Administrator user management (Add)

Rule ID 16508

• Level: 3

• Description: Atomicorp Audit: Administrator user management (Add) password length too short

Rule ID 16509

• Level: 3

• Description: Atomicorp Audit: Administrator user management (Add) Create new user

Rule ID 16510

• Level: 2

• Description: Atomicorp Audit: Administrator group management (Add)

Rule ID 16511

• Level: 3

• Description: Atomicorp Audit: Administrator group management (Add) Added group

Rule ID 16512

• Level: 2

• Description: Atomicorp Audit: Administrator user management (Modify)

Rule ID 16513

• Level: 4

• Description: Atomicorp Audit: Administrator user management (Modify) granted administrator privileges

Rule ID 16514

• Level: 2

• Description: Atomicorp Audit: Administrator group management (Remove)

Rule ID 16515

• Level: 2

• Description: Atomicorp Audit: Administrator user management (Remove)

Rule ID 16516

• Level: 2

• Description: Atomicorp Audit: User changed profile (Modify)

Rule ID 16517

• Level: 3

• Description: Atomicorp Audit: User changed profile (Modify) Password changed successfully

Rule ID 16518

• Level: 3

• Description: Atomicorp Audit: Administrator user management (Modify) changed password for user

Rule ID 16519

• Level: 2

• Description: Atomicorp Audit: User logged off

Rule ID 16520

• Level: 2

• Description: Atomicorp Audit: Configuration changed

Rule ID 16521

• Level: 2

• Description: Atomicorp Audit: Asset Management group (Create)

Rule ID 16522

• Level: 2

• Description: Atomicorp Audit: Asset Management group (Rename)

Rule ID 16523

• Level: 2

• Description: Atomicorp Audit: Asset Management group (Remove)

Rule ID 16524

• Level: 2

• Description: Atomicorp Audit: Asset Management Agent (Move)

Rule ID 16525

• Level: 2

• Description: Atomicorp Audit: Asset Management Agent (Remove)

Rule ID 16526

• Level: 2

• Description: Atomicorp Audit: Asset Management configure monitoring (Add)

Rule ID 16527

• Level: 2

• Description: Atomicorp Audit: Asset Management configure monitoring (Remove)

Rule ID 16528

• Level: 2

• Description: Atomicorp Audit: Asset Management configure FIM (Manage)