< Home

Audit Logs

Audit logs provide visibility into users' HTTP, FTP, IM and email operations and how audit policies have been applied.

Prerequisites

Only the audit administrator can view audit logs. By default, no audit administrator is created for the FW. Create an audit administrator and log in to the FW using the audit administrator account to view audit logs.

Context

The FW deployed between an intranet and the Internet generates audit logs when traffic matches rules defined in the local audit profile.

Before viewing audit logs, ensure that you have configured the audit policy function on the FW.

Before querying audit logs on the USG6510E/6510E-POE/6530E, you have run the log type audit enable command on the FW to enable the recording of audit logs.

The audit log function is license-controlled. To use this function, you must use the dynamic load function to load the content security group.

Procedure

  1. Log in to the web page as audit administrator audit-admin.
  2. Choose Monitor > Logs > Audit Logs to view audit logs.
  3. Choose Customize and select/deselect conditions for audit log display.
  4. Optional: Click to export audit logs in CSV format to the management PC.
  5. Click Add Filter and select search conditions to filter logs.

    If the device has no disk, click Advanced Search to filter logs.

  6. Optional: You can click to save the current log query conditions as a log query template for future use.

    The next time you want to use these query conditions, you only need to click to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click to delete a log query template.

    Only the user that creates a log query template can view or use this template.

    Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.

Log Sample

The following figure shows the audit logs generated within a specific time range:



The following table lists the fields in an audit log.

Field

Description

View

Click . In View Audit Log Details, the details on each field in an audit log are displayed.

In View Audit Log Details, click the Source User/Application/Audit Policy/Profile field value. You can view and operate field values.

Time

Time when an audit log is generated

Type

Audit log types:

  • FTP
  • HTTP
  • Mail
  • IM
  • Bank Reminder Of Debts

Source Zone

Source security zone of traffic

Destination Zone

Destination security zone of traffic

Source Region

Source region of the traffic

Destination Region

Destination region of the traffic

Source Address

Source IP address of traffic

Source User

User who generates traffic

Destination Address

Destination IP address of traffic

Source Port/Destination Port

Source/Destination port of traffic

Protocol

Protocol type of traffic

Application

Application type of traffic

Action

Action for matching traffic, which can be alert, block, or allow.

Audit Policy

Audit policy that traffic matches

Profile

Audit profile that traffic matches

Audit Behavior

User behaviors. The audit behaviors of different types are as follows:

  • FTP

    • FTP Command Execution
    • File Transfer Through FTP

  • HTTP

    • Web Browsing
    • Microblog Posting
    • BBS Posting
    • File Transfer Through HTTP
    • Search Keyword
    • Abnormal Access

  • Mail

    • Sending Mail
    • Receiving Mail

  • IM

    • Login
    • Logout
    • IM File Transfer

  • Bank Reminder Of Debts

    • Query Account
    • Treat Overdue
    • Query Trade
    • Query Bill
    • Login
    • Add Remarks

Audit Content

User behavior that is being audited

Virtual System

Virtual system that generates the traffic

Virtual Gateway

Virtual gateway that generates the traffic

In the audit log analysis process, you can click Advanced Search and select audit behaviors to query the logs of different user behaviors. If audit logs show behaviors that may lead to information leaks or non-work-related behaviors during working hours, you can modify the corresponding audit policy and audit profiles.

The following table describes the settings of each field in View Audit Log Details.

Table 1 Audit log field settings

Field

Setting

Audit Policy

Click the Audit Policy field value of a specific audit log. In Modify Audit Policy, you can change the settings of the source address, destination address, user, application, time range, action, and audit profile. For details on how to change the settings, see Configuring an Audit Policy.

Profile

Click the Profile field value of a specific audit log. Modify Audit Profile is displayed. You can reconfigure the audit or other profiles. For example:

  • If users frequently access non-work-related websites during working hours, you can modify the URL filtering profile to blacklist these websites.
  • If users post confidential information and non-work-related information on BBS or microblogs, modify the data filtering profile. Add keywords about the confidential information to the keyword group of data filtering rules and set the action for the rules to block.
  • If users download large-sized videos through HTTP or FTP, modify the application behavior control profile. Set a threshold size for files that can be downloaded. Downloading of files larger than this size will be blocked.

For operation details, see Security Policy.
Parent Topic: View logs in the Web
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic