cancel
Showing results for 
Search instead for 
Did you mean: 

Purge certain events in the Audit Log

Jump to solution

We have tied our ePO into the McAfee Network Security Manager (NSM) so that all events can be tied into one interface.  There is a plug-in that allows you to put in the IP and username to allow it to send events to the NSM. Under Reporting > Audit Log, the problem we are having is that the audit log fills up quickly with numerous events every second saying "username logged in" or "usernamed logged out."  I would like to purge these events without purging any other events, but it appears the only option is to purge records older than X amount of days.  Unlike the event log, you can't purge by a query which is what I would ideally like to do.  I guess it makes sense that you wouldn't want to allow the system to selectively remove audit records, but I would like to keep a record of everything else without all the noise of the login/logout events.  Is this possible, or does anyone know how to prevent the login/logout events from logging in the audit log?

ePO 4.0

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: Purge certain events in the Audit Log

Jump to solution

Okay, I spoke to the Instrushield team and this is as designed. The entries are caused by the Threat Analyser - it has to log in to ePO as an epo user , and it's these logins that you are seeing in the log.

Sorry

Regards -

Joe

10 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Purge certain events in the Audit Log

Jump to solution

I don't think there's a way to do this at this point - but it would make a good FMR, I think.

HTH -

Joe

Re: Purge certain events in the Audit Log

Jump to solution

Do you know if there is a way to stop logging just the login and logout events?  The audit log is virtually useless unless I export it and filter out all these events, plus I may miss a legitimate event.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Purge certain events in the Audit Log

Jump to solution

I'm not aware of a way to filter it, no. This is in the audit log? Can you post an example of one of the events? It's just that this log would normally log users logging on and off from an ePO console, which I would not expect to see multiple times a second as you describe...

Thanks -

Joe

Re: Purge certain events in the Audit Log

Jump to solution

Joe,

Attached is a screenshot of my audit logs.  As you can see, it generates a lot of events, and that is filtered for only 1 day.  For some reason, it seems like it logs in and logs out for every event generated by HIPS to report it to the NSM.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: Purge certain events in the Audit Log

Jump to solution

Ah, OK. Is this the Intrushield Manager we're talking about? It's not something I'm familiar with but I can have a word with my colleagues...

Thanks -

Joe

Re: Purge certain events in the Audit Log

Jump to solution

Yeah, that is correct. I installed the plug-in that was downloaded from the Netscreen Security Manager and installed it on the ePO.  I have been getting the multiple log entries ever since.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: Purge certain events in the Audit Log

Jump to solution

Okay, let me have a word with the Intrushield guys and I'll see what I can do. It may be that this is as designed, though

Regards -

Joe

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: Purge certain events in the Audit Log

Jump to solution

Okay, I spoke to the Instrushield team and this is as designed. The entries are caused by the Threat Analyser - it has to log in to ePO as an epo user , and it's these logins that you are seeing in the log.

Sorry

Regards -

Joe

Re: Purge certain events in the Audit Log

Jump to solution

Doh, I was afraid of that.  Eventually we will be getting Arcsight, so we won't need this ePO connection to the Intrushiled Manager so that should resolve the issue.  I was just hoping there was a fix for this in the meantime.  Thanks for checking.