cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
0 Likes

Add Source IP Address to Metadata Audit Logging Events - SAS 9.4

Status: New Suggestion Submitted by Calcite | Level 5 Friday
Comment

I discovered in my latest tech support track: CS0136992 that client IP Address is only passed to the metadata logs for calls related to:

  • New Client Connections 
  • Redirects for the client in the cluster 

AND - it cannot be configured to be added for other logging events! SAS Help Center: X Conversion Character I would like to request the ability to add Client IP Address as a descriptive characteristic to various Metadata Audit logging events such as: 

  • Group/Role Changes
  • Logon/Logoff
  • Role Permissions Changes 

Client IT teams often work with Splunk & other tools that query logs using a NoSQL query language. As duplicative as it may be - this allows IT teams to easily comply with security and tracking requirements to be able to easily track and identify cyber security events and get all information in a single query. 

 

Without this - what I'm being told, is security teams would first need to identify the event in question, then using the request ID - track that all throughout the logs until they found the initial new client connection in order to find the source IP. This kind of sub-query is incredibly tedious behavior and creates a significant disconnect that must be manually traversed in order to create the wholistic picture cyber security teams are looking for. 

 

Please include this as a feature in the next release! 

See more ideas labeled with: