Audit log forwarding

Audit log forwarding enables the Infrastructure administrator to forward audit logs to remote Security Information and Event Management (SIEM) systems. Such systems enable centralized audit compliance, monitoring, log analysis, and controlled retention policies.

The forwarding protocol used is the standard UDP-based syslog protocol described in RFC5424 and RFC5426. The syslog protocol is supported by all common syslog servers such as rsyslog, syslog-ng, and SIEM products.

NOTE:

Ensure that any firewalls between Infrastructure administrator and the remote syslog server allow UDP traffic. The default UDP port used is 514.

As audit log entries are forwarded over UDP, the entries are not encrypted and delivery is not guaranteed. Even when you have Infrastructure administrator and all managed devices on a dedicated, isolated management LAN, forwarding audit log entries to external systems can pose a security risk. In an environment where encryption is required, use the REST API /rest/audit-logs to schedule a job to download the appliance audit logs. For more information, see the HPE OneView API Reference.

More information

Forward an audit log