Monitor Logged Events
Report Halo audit events for compliance
Halo Logging and Alerting
Halo logging and alerting is a built-in service that captures event information generated by all of the Halo security modules, by Halo user actions, and by actions on Halo-protected servers. Halo stores these events centrally, and reports on them in a variety of forms, including summaries and details displayed in the Halo portal, email alerts sent to administrator inboxes, and event data exported to third-party analytical tools.
Logging and alerting is always "on" and available to all Halo users, but you decide what and how much you want logged and who needs to be notified. For example:
- Most of Halo's policy-based security modules allow you to separately turn logging or alerting on or off for each rule in a policy, to flag the more serious ones as Critical, and to generate email alerts for the most serious of them.
- You can implement a special events policy to control the logging and alerting of server-related events across your infrastructure.
- You can control which routine audit events (logins, policy assignments, password changes, and so on) should be logged or alerted on.
- You can create alert profiles, which control who should receive email alerts for various events
To review logged events, you can view alerts in your email inbox, you can view event summaries on the Halo portal dashboard page, you can view and search for events on several other portal pages.
Integrating Events with Analytical Tools. The Halo API includes the capability to export complete or filtered event information that you can then feed into a variety of third-party analytical tools. CloudPassage has used this capability to create an integration tool (Halo Event Connector) that you can use out-of-the-box for this purpose.
CloudPassage Halo automatically logs a large number of events for auditing purposes—for example, every time a Halo user logs in or out or fails trying, every time a policy is created, assigned, moved, or deleted, and every time an API key is created, deleted, or even viewed, an event is logged.
If you set up a special events policy (see Step 2 of Monitor Halo security events), you can specify that Halo should also log server-related audit events, including server shutdown, restart, move, or deletion; local account creation or deletion; and Halo agent version change.
Halo can log approximately 100 different types of audit events, and you can view them all on the Security Events History page in the Halo Portal. Using the CloudPassage API, you can also export them to external tools for further analysis.
Analyzing audit events is useful in preparing reports for compliance purposes, and also in performing forensic investigations of potentially compromised servers.
To prepare a simple audit report that might be sufficient for compliance purposes, do this:
- Log into the Halo Portal and navigate to Servers > Security Events History.
- Say, for example, that you want to report on all multi-factor network authentication server-access activity over the previous quarter. In the search filter controls, set the date range to "past 90 days". For the event types, select all GhostPorts events (including creation or removal of a GhostPorts user, successful or failed login by a user, and closure of a user's GhostPorts session). Leave the other filters with their default "All" setting.
- Click Filter, then view the results:
You can sort the results by criticality, event type, and server or server group (if applicable). Then browse the results to look for unusual or unexpected events.
- To save these search results as a report, you might first set the pagination on the Security Events History page to 100 events per page (the maximum), and then use your browser commands to print the page or save it as a PDF. If you have more than 100 events in the record, you can generate multiple PDF files.
Note: If, for the purposes of your report, you need need more detailed or specific event information, such as the exact timestamp for the event creation, you can retrieve the events using the CloudPassage API instead of the Halo Portal, and then manipulate the events with a script or import them into a log-management tool for further analysis.
For general information on Halo events, including audit events, see Addressing Events in the Halo Issues, Events, and Alerts.