Skip to main content
Skip table of contents

Collect Enhanced Audit Logs

Download the Enhanced Audit Files

  1. Go to https://community.logrhythm.com
  2. Click the Document & Downloads tab and select SIEM.
  3. Click SIEM.
    All the supporting links are available here. You can download the Enhanced Audit files of the latest version of the SIEM by clicking on the respective download link.

Create a Least Privileged SQL User

LogRhythm provides a script to create a SQL (Structured Query Language) user with all the permissions required for collecting Enhanced Audit logs in the Shadow tables. To run the script with a user-provided password, do the following:

  1. From the PM server, open SQL Management Studio and log in as an Administrator.
  2. Open LR_sqlaudit_create_leastprivuser.sql in SQL Management Studio.
  3. In the SQL script, enter a custom password between the single quotations.
    ... WITH PASSWORD=N'<CHANGE_ME>' ...
  4. Execute the SQL script.
    SQL will return the following message after successfully running the script.
    "Commands completed successfully."

Create a System DSN

  1. Open the ODBC (Open Database Connectivity) Data Source Administrator (64-bit) window.
  2. Click the System DSN (Data Source Name) tab and click the Add... button.
    The Microsoft SQL Server DSN Configuration window appears.
  3. Enter the Name, Description, and Server details in the corresponding textboxes.
  4. Click Next >.
  5. Enter the newly created lrsqlaudit user ID and password to complete the set up.
  6. Click Next >.
  7. Change the Default database to LogRhythmEMDB.
  8. Click Next >.
  9. Click Finish.

Configure Log Sources

  1. In the Client Console, click the System Monitors tab in the Deployment Manager.
  2. Double-click the LogRhythm System Monitor.
    The System Monitor Agent Properties window appears.
  3. Right-click in the log sources grid and then click New.
    The Log Message Source Properties dialog box appears.
  4. Configure your log source with the following properties:
    1. Log Message Source Type: UDLA - LREnhancedAudit
    2. Log Message Source Name: <custom>
    3. Log Message Processing Engine (MPE) Policy: LogRhythm Default
  5. Click the UDLA Settings tab.
  6. Click Import.
    The Import UDLA (Universal Database Log Adapter) Configuration dialog box appears.
  7. Select the respective file and click Open. See the Audit Table for more information.
  8. Update the connection to the following, updating the DSN name and password for the lrsqlaudit user.
    DSN=[DSNName];Uid=lrsqlaudit;Pwd=[lrsqlauditUserPassword]
  9. Test the UDLA query and click OK to save the configuration.
  10. Repeat steps 1-9 for the other Shadow tables.

Audited Tables

The list of each shadow table enabled by default, a brief description of the types of changes they capture, and the associated UDLA configuration files are mentioned below.

Table NameDescriptionUDLA Configuration Files
AIERule_ShadowRecords when a change is made to AIE Rule configurations/settings.

AIERuleConfig.xml

AIERuleSets.xml

AIERuleSet_ShadowRecords when a change is made to AIE Rule Sets.AIERuleSets.xml
AIERuleSetToWorkload_ShadowRecords when a Workload's AIE Rule Set assignments are modified. IE when a Rule Set is included/excluded from a Workload.AIERuleSetToWorkLoad.xml
AIERuleToEngine_ShadowRecords when an AIE Server's AIE Rule assignments are modified.AIERuleToEngine.xml
AlarmRule_ShadowRecords changes to Alarms rules.Alarm.xml
Entity_ShadowRecords changes to the Entity structure.Entity.xml
GlobalLogProcessingRule_ShadowRecords modifications to GLPRs.GLPR.xml
Identity_ShadowRecords changes to Identities.Identity.xml
MsgSource_ShadowRecords changes to Log Sources.MsgSource.xml
Person_ShadowRecords when a change is made to a Person record on the People tab.Person.xml
SCUser_ShadowRecords when a change is made to an LR User Account (LR Login Account).User.xml
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.