Reviewing and exporting the audit log

Reviewing the audit log

To review the Endpoint Configuration audit log, click Audit Log from the Endpoint Configuration menu. By default, the log shows the last 30 days.

To adjust the time range or to filter the log by action, expand the Filters section.

Exporting an audit log

Create a connection in Tanium Connect to export an Endpoint Configuration audit log to Connect destinations, such as Email, File, HTTP, Socket Receiver, Splunk, or SQL Server. The audit log includes the following information:

  • Additions, deletions, and updates of configuration items
  • Approval, rejection, and dismissal actions
  • Manifest actions

The audit log is also included in the support package for Endpoint Configuration. For the steps to download the support package, see Collect logs.

Before you begin

You must have access to Connect with the Connect User role.

Create a connection

  1. From the Connect menu, click Connections and then click Create Connection.
  2. Enter a name and description for your connection in the General Information section.
  3. In the Advanced section, set the following:
    • Log level:By default, the logging is set to Information. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.
    • Minimum Pass Percentage: Minimum percentage of the expected rows that must be processed for the connection to succeed.
  4. In the Configuration section, set the source and destination as follows:
    1. For Source, select Tanium Endpoint Configuration.
    2. For History Retrieval (Days), enter the number of days of history that the exported audit log contains.
    3. Configure the connection destination.

      Select a connection destination from the Destination list. Provide the configuration information for the destination you select. For more information about configuring destinations, see the Tanium Connect User Guide: Connection destinations.

  5. Configure the Format for the data. For information about configuring the format, see the section on the destination type that you selected in the Tanium Connect User Guide.
  6. (Optional) In the Configure Output section, configure a Filter.

    You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

    For more information about the types of filters you can configure, see Tanium Connect User Guide.

  7. (Optional) Customize columns for the exported data. In the Columns section, select the available Source items and configure the Value Type and Customization, see Tanium Connect User Guide: Format data for emails.
  8. (Optional) Select Enable Schedule and configure a schedule for the connection. For more information about how to run connections on a schedule, see Tanium Connect User Guide: Schedule connections. If the schedule is not enabled, the connection only runs when you manually run it.
  9. Click Save or Save and Run.

Test a connection and review data

  1. From the Connect menu, click Connections.
  2. Click the connection that you created for the Direct Connect audit log.
  3. Click Run Now. Confirm that you want to run the connection.
  4. View the summary of the run.
  5. View the audit log in the destination that you configured for the connection.