Table of contents
Topics on this page
Turn on the Log Inspection module
Run a recommendation scan
Apply the recommended Log Inspection rules
Test Log Inspection
Configure Log Inspection event forwarding and storage

Set up Log Inspection

You need a Workload Security license to enable Log Inspection. For an overview of the Log Inspection module, see Analyze logs.

To use Log Inspection, follow the steps in these procedures: 1. Turn on the Log Inspection module 2. Run a recommendation scan 3. Apply the recommended log inspection rules 4. Test Log Inspection 5. Configure Log Inspection event forwarding and storage

Turn on the Log Inspection module

Turn on Log Inspection for a policy:

  1. Go to Policies.
  2. Double-click the policy.
  3. Click Log Inspection > General.
  4. Select On for Log Inspection State.
  5. Click Save.

Run a recommendation scan

Run a recommendation scan on the computer for recommendations about which rules are appropriate to apply.

Apply the recommended Log Inspection rules

Workload Security ships with many predefined rules covering a wide variety of operating systems and applications. When you run a recommendation scan, you can choose to have Workload Security automatically implement recommendations, or you can choose to manually select and assign the rules.

Although Workload Security ships with Log Inspection rules for many common operating systems and applications, you also have the option to create your own custom rules. To create a custom rule, you can either use the Basic Rule template, or you can write your new rule in XML. For information on how to create a custom rule, see Define a Log Inspection rule for use in policies.

Test Log Inspection

Before completing Log Inspection configuration, test that the rules are working correctly:

  1. Ensure Log Inspection is enabled.
  2. From the Computer or Policies editor, go to Log Inspection > Advanced.
  3. Set Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level to Low (3) then click Save.
  4. On the General tab, click Assign/Unassign.

  5. Enable the rules for the platform:

    • For Windows, search for and enable 1002795 - Microsoft Windows Events to log events every time the Windows auditing functionality registers an event.
    • For Linux, search for and enable 1002831 - Unix - Syslog to inspect the syslog for events.

  6. Click OK then click Save.

  7. Try to log in to the server with an account that does not exist.
  8. Go to Events & Reports > Log Inspection Events to verify the record of the failed login attempt. A record of the detection indicates Log Inspection is working correctly.

Configure Log Inspection event forwarding and storage

When an event triggers a Log Inspection rule, Workload Security logs the event. You can view these Log Inspection events under Events & Reports and Policy editor. See Log Inspection events. Depending on the severity of the event, you may send the event to a syslog server (see Forward Workload Security events to an external syslog or SIEM server) or use severity clipping to store events in the database.

To configure severity clipping:

  1. Go to Policies.
  2. Double-click the policy.
  3. Click Log Inspection > Advanced.
  4. Choose a severity level between Low (0) and Critical (15) for Send Agent/Appliance events to syslog when they equal or exceed the following severity level. This setting determines which events triggered by those rules get sent to the syslog server when syslog is enabled.
  5. Choose a severity level between Low (0) and Critical (15) for Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level. This setting determines which Log Inspection events the database keeps and appear in Log Inspection Events.
  6. Click Save.