External Logging Configuration
The Skyhigh CASB On-Prem Proxy can be configured to send log messages to an external Splunk SEIM, logging information from the following sources.
Proxy Admin App Usage
Interaction with the Proxy Admin App causes the on-prem proxy to generate log messages.
The following events are logged:
- Successful log in. Includes username, time, and date.
- Failed log in. Includes username, time, and date.
- Configuration change. Contains time, date, parameter changed, previous value, and new value. Note that certain values may be masked in the logs (items like passwords, keys and salt values are never logged, however there will be a message indicated that the value was updated)
- Admin app session ended. Contains time and date.
- SSH Login. Contains username, time, and date.
- Failed SSH Login. Contains username, time, and date.
- SSH Session end. Contains username, time, and date.
Error Conditions
Any error message from the NGINX core will be logged.
Access
Contains details of the NGINX access log. Every request that gets proxied to/from a protected CSP will be logged.
Enable or Change the Log Level
To enable or change the log level:
- Log into the local proxy Admin App.
- Navigate to the Log Settings tab.
- Click the External Logging Enable toggle to make sure External Logging is enabled.
- Enter the hostname or IP address and port of the external Splunk SEIM
- Set the log level. The allowable levels are:
- Admin. Sends admin logs to the external server.
- Error. Sends error logs plus all the admin logs to the external server.
- Access. Sends access logs, plus all the Error and Admin logs, to the external server.
NOTE: Enabling Access logs may have a negative performance impact.