Netskope Help

Audit Events generated by the Appliance CLI

You can audit various actions taken on the appliance, such as all shutdown and startup events, all login/logout attempts, SSH connection attempts from an IP address that is not allowlisted (see Manage SSH Connections by Allowlisting an IP ), and all commands executed by the users on the nsshell (except configure and exit). All commands are logged whether or not they succeed.

As a security measure, you can forward all the appliance command logs to your syslog or SIEM server. Currently, only UDP-based syslog is supported.

To configure the syslog server destination,

  1. Open nsshell to the appliance and enter these commands:

    add audit-logging destinations
    #{server response should be} added index 0
    
    set audit-logging destinations 0 host <hostname>
    set audit-logging destinations 0 port <port number>
    set audit-logging destinations 0 protocol [TCP | UDP]
    
    set audit-logging enable true

    Tip

    Enter false in the last command to turn off this feature.

  2. Once enabled, review the log file on the system specified in the host and port commands.