How to configure Audit Tracking for Administrator Activity (Log Admin Activity)

How to configure Audit Tracking for Administrator Activity (Log Admin Activity)

6303
Created On 11/29/22 08:51 AM - Last Modified 09/05/23 10:09 AM


Objective


This document provides information how you could configure the Audit Tracking for Administrator Activity feature using some screenshots.

Environment


  • PA-Series Next-Generation Firewalls
  • PAN-OS 10.1 or higher

Procedure


1. Create Syslog Server Profile

DEVICE>Server Profiles>Syslog>Add>[NAME]>Servers>Add
Syslog Server Profile

2. Configure Log Admin Activity

DEVICE>Setup>Management>Logging and Reporting Settings>[Gear Wheel Icon]>Log Export and Reporting
Log Admin Activity 
Options for Log Admin Activity

Debug and Operational Commands:
Generate an audit log when an administrator executes an operational or debug command in the CLI or an operational command triggered from the web interface.
See the CLI Operational Command Hierarchy for a full list of PAN-OS operational and debug commands.

UI Actions:
Generate an audit log when an administrator navigates throughout the web interface.
This includes navigation between configuration tabs, as well as individual objects within a tab.
For example, an audit log is generated when an administrator navigates from the ACC to the Policies tab.
Additionally, an audit log is generated when an administrator navigates from ObjectsAddresses to ObjectsTags.

Syslog Server:
Select a target syslog server profile to forward audit logs.

3. Click OK

4. Select Commit

*When conducting step 2 to 4 through CLI, the following steps can be used. 
admin@PA-820# set deviceconfig setting management audit-tracking op-commands yes ui-actions yes send-syslog syslog-profile

[edit]
admin@PA-820# commit



Commit job 13 is in progress. Use Ctrl+C to return to command prompt
......................................55%.........75%.....98%........................100%
Configuration committed successfully

[edit]
admin@PA-820# show | match audit-tracking
set deviceconfig setting management audit-tracking op-commands yes
set deviceconfig setting management audit-tracking ui-actions yes
set deviceconfig setting management audit-tracking send-syslog syslog-profile
[edit]
admin@PA-820#


Here are the first 3 sample audit logs in 2 different format (BSD or IETF can be selected when configuring Syslog Server Profile) that are generated just after commit operation. 
[1] When BSD is selected as FORMAT under Syslog Server Profile.
Nov 29 13:47:42 10.137.102.1 012001001390,2022/11/29 13:47:42,audit,2562,gui-op,admin,"<check><full-commit-required/></check>",success
Nov 29 13:47:43 10.137.102.1 012001001390,2022/11/29 13:47:43,audit,2562,gui-op,admin,"<show><config><list><change-summary/></list></config></show>",success
Nov 29 13:47:43 10.137.102.1 012001001390,2022/11/29 13:47:43,audit,2562,gui-op,admin,"<show><config><commit-scope><partial/></commit-scope></config></show>",success

[2] When IETF is selected as FORMAT under Syslog Server Profile.
Nov 28 21:51:45 10.137.102.1 1 2022-11-29T14:51:55+09:00 PA-820 - - - - 012001001390,2022/11/29 14:51:55,audit,2562,gui-op,admin,"<check><full-commit-required/></check>",success
Nov 28 21:51:46 10.137.102.1 1 2022-11-29T14:51:55+09:00 PA-820 - - - - 012001001390,2022/11/29 14:51:55,audit,2562,gui-op,admin,"<show><config><list><change-summary/></list></config></show>",success
Nov 28 21:51:46 10.137.102.1 1 2022-11-29T14:51:55+09:00 PA-820 - - - - 012001001390,2022/11/29 14:51:55,audit,2562,gui-op,admin,"<show><config><commit-scope><partial/></commit-scope></config></show>",success

Additional Information


About the Feature
  • PAN-OS 10.1 introduces the Audit Tracking for Administrator Activity feature
  • By tracking administrator activity in the web interface and CLI, you can achieve real time reporting of activity across your deployment
  • If you have reason to believe an administrator account is compromised, you have a full history of where this administrator account navigated throughout the web interface or what operational commands they executed so you can analyze in detail and respond to all actions the compromised administrator took

How the Feature Works
  • An event occurs and generates an audit log, which is forwarded to the specified syslog server each time you navigate through the web interface or when you execute an operational command in the CLI
  • Each navigation or command executed generates an audit log
  • As an example on creating a new address object, you generate one audit log when you click Objects, and a second audit log when you then click Addresses

Consideration
  • Audit logs can only be forwarded to a syslog server, cannot be forwarded to Cortex Data Lake (CDL), and are not stored locally on the firewall, Panorama, or Log Collector
  • The Audit Tracking for Administrator Activity feature can't be used on PA-5200 and PA-7000 platforms running PAN-OS 10.2.3, 10.1.8, 11.0.0, or eariler due to PAN-207610
  • A separate KB article "Audit Tracking for Administrator Activity (Log Admin Activity) is not shown under DEVICE>Setup>Management>Logging and Reporting Settings>Log Export and Reporting" will be published in the future
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFOLCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail