Netskope Help

Audit Events on an Appliance

You can audit various actions taken on the appliance, such as all shutdown and startup events, all login/logout attempts, SSH connection attempts from an IP address that is not allowlisted (see Manage SSH Connections by Allowlisting an IP ), and all commands executed by the users on the nsshell (except configure and exit). All commands are logged whether or not they succeed. These events are forwarded to a specified syslog servers. Currently, only UDP-based syslog is supported.

  1. Open an nsshell to the appliance and enter these commands:

    add audit-logging destinations
    #{server response should be} added index 0
    
    set audit-logging destinations 0 host <hostname>
    set audit-logging destinations 0 port <port number>
    set audit-logging destinations 0 protocol [TCP | UDP]
    
    set audit-logging enable true

    Tip

    Enter false in the last command to turn off this feature.

  2. Once enabled, review the log file on the system specified in the host and port commands.