Collect Enhanced Audit Logs
Download the Enhanced Audit Files
- Go to https://community.logrhythm.com.
- Click the Document & Downloads tab and select SIEM.
- Click SIEM.
All the supporting links are available here. You can download the Enhanced Audit files of the latest version of the SIEM by clicking on the respective download link.
Create a Least Privileged SQL User
LogRhythm provides a script to create a SQL (Structured Query Language) user with all the permissions required for collecting Enhanced Audit logs in the Shadow tables. To run the script with a user-provided password, do the following:
- From the PM server, open SQL Management Studio and log in as an Administrator.
- Open LR_sqlaudit_create_leastprivuser.sql in SQL Management Studio.
- In the SQL script, enter a custom password between the single quotations.
... WITH PASSWORD=N'<CHANGE_ME>' ... - Execute the SQL script.
SQL will return the following message after successfully running the script.
"Commands completed successfully."
Create a System DSN
- Open the ODBC (Open Database Connectivity) Data Source Administrator (64-bit) window.
- Click the System DSN (Data Source Name) tab and click the Add... button.
The Microsoft SQL Server DSN Configuration window appears. - Enter the Name, Description, and Server details in the corresponding textboxes.
- Click Next >.
- Enter the newly created lrsqlaudit user ID and password to complete the set up.
- Click Next >.
- Change the Default database to LogRhythmEMDB.
- Click Next >.
- Click Finish.
Configure Log Sources
- In the Client Console, click the System Monitors tab in the Deployment Manager.
- Double-click the LogRhythm System Monitor.
The System Monitor Agent Properties window appears. - Right-click in the log sources grid and then click New.
The Log Message Source Properties dialog box appears. - Configure your log source with the following properties:
- Log Message Source Type: UDLA - LREnhancedAudit
- Log Message Source Name: <custom>
- Log Message Processing Engine (MPE) Policy: LogRhythm Default
- Click the UDLA Settings tab.
- Click Import.
The Import UDLA (Universal Database Log Adapter) Configuration dialog box appears. - Select the respective file and click Open. See the Audit Table for more information.
- Update the connection to the following, updating the DSN name and password for the lrsqlaudit user.
DSN=[DSNName];Uid=lrsqlaudit;Pwd=[lrsqlauditUserPassword] - Test the UDLA query and click OK to save the configuration.
- Repeat steps 1-9 for the other Shadow tables.
Audited Tables
The list of each shadow table enabled by default, a brief description of the types of changes they capture, and the associated UDLA configuration files are mentioned below.
| Table Name | Description | UDLA Configuration Files |
|---|---|---|
| AIERule_Shadow | Records when a change is made to AIE Rule configurations/settings. | AIERuleConfig.xml AIERuleSets.xml |
| AIERuleSet_Shadow | Records when a change is made to AIE Rule Sets. | AIERuleSets.xml |
| AIERuleSetToWorkload_Shadow | Records when a Workload's AIE Rule Set assignments are modified. IE when a Rule Set is included/excluded from a Workload. | AIERuleSetToWorkLoad.xml |
| AIERuleToEngine_Shadow | Records when an AIE Server's AIE Rule assignments are modified. | AIERuleToEngine.xml |
| AlarmRule_Shadow | Records changes to Alarms rules. | Alarm.xml |
| Entity_Shadow | Records changes to the Entity structure. | Entity.xml |
| GlobalLogProcessingRule_Shadow | Records modifications to GLPRs. | GLPR.xml |
| Identity_Shadow | Records changes to Identities. | Identity.xml |
| MsgSource_Shadow | Records changes to Log Sources. | MsgSource.xml |
| Person_Shadow | Records when a change is made to a Person record on the People tab. | Person.xml |
| SCUser_Shadow | Records when a change is made to an LR User Account (LR Login Account). | User.xml |