This blog was co-authored by Nils Kresl and Teresa Copple.
“Quis custodiet ipsos custodes?” or, “Who watches the watchmen?” This question was first famously asked by the Roman poet Juvenal almost 2,000 years ago, and we are still concerned about it today. How are you monitoring the activity of your “watchers”—that is, your IT teams, security teams, and software?
In this blog, we will discuss one common method of accomplishing this, by collecting the audit trail from a device or application. Specifically, we will examine collecting the audit trail from InsightVM with InsightIDR, as this same method can be used to collect the audit logs from many different applications.
In the Rapid7® InsightVM/Nexpose (our vulnerability management solutions) 6.5.77 release, which came out in August 2019, we added a new audit.log file to keep track of all user creation, deletion, role change, and site configuration change events on the Security Console. The audit.log is located along with the other diagnostic log files in[installation_directory]/nsc/logs directory on the Security Console. For Windows, this is typically C:Program Files
apid7
expose
sclogs and for Linux, the default location is /opt/rapid7/nexpose/nsc/logs.
Let’s see how we can collect the audit log entries and send it to InsightIDR, our cloud-based SIEM tool, for monitoring purposes. This allows the log to be stored in a central place and also lets you configure custom alerts or dashboards to monitor user account and site changes.
To monitor the audit.log events, the log can be collected as an event source in InsightDR. There are different ways to collect the audit logs and send themit t ..
Support the originator by clicking the read the rest link below.
