Audit Logs

Only when the LogServer function has been configured on an Appliance within the Collective will there will be an Audit Logs menu item shown. If it is not showing yet, sign-out of the admin UI and then sign-in again.

The Audit Logs menu item will redirect you to the LogServer which uses OpenSearch as the UI engine for searching / displaying logs. Appgate SDP provides a number of pre-configured report scripts. The UI also provides a number of tools to create your own data reports and 'visualizations' to illustrate Appgate SDP performance.

Details of all the different types of Audit Logs generated by the Appgate SDP Collective are provided in the System monitoring and logs section.

Background information

For information about the handling of audit logs within the Appgate SDP system refer to the System monitoring and logs section.

Using The LogServer

This page provides details about how to use OpenSearch and perform some basic searches. For more information you can also try the OpenSearch User Guide: https://docs.aws.amazon.com/opensearch-service/?id=docs_gateway

Pre-configured tools

The menu (top left) includes OpenSearch Dashboards. the following three are likely to be of most use:

Dashboard

There are two prepared dashboards: Appgate Appliances and Appgate User Activity.

Visualize

There is a list of prepared visualizations such as Client version used by OS and Configuration changes.

Discover

This is the main tool for performing log analysis. There are also some pre-prepared search scripts which can be accessed by clicking Open at the top right hand side of the screen:

Pre-configured logserver scripts:

Pre-prepared search scripts including authentication and device claims.

Changing time-frame

To change the time-frame for the audit log report, click on the calendar button next to the displayed time window:

Time selection options for changing the time frame of an audit report.

Filtering the data

Changing parameters

You can add or delete the parameters that are included in the search report. For example the "Controller Audit logs" script displays the Time, DN, daemon and event-type parameters:

Gateway audit logs displaying session events and timestamps for monitoring activity.

To add a parameter to the report, use the Available Fields list on the left hand side of the UI and click <+> next to the parameter you wish to add to the report.

To remove a parameter from the report, use the Selected Fields list on the left hand side and click <X> next to the appropriate parameter:

Log analysis interface displaying event types and distinguished names with a bar chart.

Filtering searches

It is also easy to filter searches. Just expand any field and it shows the most common values in that field. The <+> & <-> can be used to filter the search to include or exclude that type.

Logstash audit logs displaying event types and their corresponding counts over time.

In this case only cz-vpnd logs are displayed

Using the search bar

You can enter your own search terms in the search bar to customize searches such as: event_type: ip_access && distinguished_name_user: testuser

However it might be easier to just filter by value. The <+> & <-> can be used to filter the search to include or exclude that value.

Audit logs displaying event types and timestamps for various daemons and distinguished names.

In this case the type filter is 'authentication_succeeded' and the value filter is for 'Annie'.