Views:
For an overview of the log inspection module, see About Log Inspection.
Note
Note
You need a Workload license to enable log inspection.
To use log inspection, follow the steps in these procedures:

Procedure

  1. Turn on the log inspection module
  2. Run a recommendation scan
  3. Apply the recommended log inspection rules
  4. Test Log Inspection
  5. Configure log inspection event forwarding and storage

Turn on the log inspection module Parent topic

Enable log inspection for a policy.

Procedure

  1. Go to Policies.
  2. Double-click the policy.
  3. Select Log Inspection General.
  4. Select On for Log Inspection State.
  5. Click Save.

Run a recommendation scan Parent topic

Run a recommendation scan on the computer for recommendations about which rules to apply.

Apply the recommended log inspection rules Parent topic

Server & Workload Protection ships with many pre-defined rules covering a wide variety of operating systems and applications. When you run a recommendation scan, you can choose to have Server & Workload Protection automatically implement recommendations or you can choose to manually select and assign the rules.
Although Server & Workload Protection ships with log inspection rules for many common operating systems and applications, you also have the option to create your own custom rules. To create a custom rule, you can either use the Basic Rule template, or you can write your new rule in XML. For information on how to create a custom rule, see Define a log inspection rule for use in policies.

Test Log Inspection Parent topic

Before completing Log Inspection configuration, test that the rules are working correctly:

Procedure

  1. Ensure Log Inspection is enabled.
  2. In the computer or policies editor, select Log Inspection Advanced.
  3. Set Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level to Low (3) then click Save.
  4. On the General tab, click Assign/Unassign.
  5. Search for and enable 1002792 - Default Rules Configuration. This is required for all other Log Inspection rules to work.
  6. Enable the rules for the platform:
    • For Windows, enable 1002795 - Microsoft Windows Events to log events every time the Windows auditing functionality registers an event.
    • For Linux, enable 1002831 - Unix - Syslog to inspect the syslog for events.
  7. Click OK then click Save.
  8. Try to log in to the server with an account that does not exist. Log Inspection should prevent this action.
  9. Go to Events & Reports Log Inspection Events to verify the record of the failed log-in attempt. A record of the detection indicates Log Inspection is working correctly.

Configure log inspection event forwarding and storage Parent topic

When an event triggers a log inspection rule, Server & Workload Protection logs the event. You can view these Log Inspection Events under Events & Reports and Policy editor (see Log inspection events). Depending on the severity of the event, you may send the event to a syslog server (see Forward Server & Workload Protection events to an external syslog or SIEM server) or store events in the database using the severity clipping feature.
To configure severity clipping:

Procedure

  1. Go to Policies and double-click the policy.
  2. Select Log Inspection Advanced.
  3. Choose a severity between Low (0) and Critical (15) for Send Agent/Appliance events to syslog when they equal or exceed the following severity level.
    This setting determines which events triggered by those rules get sent to the syslog server when syslog is enabled.
  4. Choose a severity between Low (0) and Critical (15) for Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level.
    This setting determines which Log Inspection events the database keeps and appear on the Log Inspection Events page.
  5. Click Save.