Set Up the Audit Functionality

Perform the following steps to set up the audit functionality on the Platform Manager server. These procedures must be executed as a sysadmin user (preferably the sa account or another NON-LogRhythm login) in order for the added trace and stored procedures to have minimal access rights.

1. Set the SQL Server property “Scan for startup procs” to True. This allows the SQL Server to automatically start the audit trace defined in the LogRhythm_Audit script at SQL Server startup.
2. Grant each member of the LogRhythmGlobalAdmin role the “ALTER ANY TRACE” server permission on each SQL Server. This allows LogRhythmGlobalAdmin members to execute the required stored procedures to report on the audit traces.
3. Edit the LogRhythm_Audit.sql script for environmental configuration.
   1. Set the folder path for trace files to be written to.
   2. Set login filters to exclude LogRhythm service activity from being included in the audit.
      Exclude logins for the following services:
      • LogRhythm ARM
      • LogRhythm Job Manager
      • LogRhythm Mediator(s)
      • LogRhythm AIE
4. Run LogRhythm_Audit.sql in the master database.
5. Execute the LogRhythm_Audit stored procedure in the master.
6. Run LogRhythm_Audit_Select.sql script. The LogRhythm_Audit_Select stored procedure must reside in the LogRhythmEMDB on Platform Managers.

After the audit trace is defined and started, SQL Server begins writing audit events to the trace at a location configured within the LogRhythm_Audit stored procedure. The LogRhythm_Audit stored procedure also configures the maximum size an audit trace is allowed to become before a new file is started (i.e. log rotation). This value is 100MB by default.