About the Audit Log

ThreatQ includes comprehensive audit logging that records detailed user, admin, and system actions across the ThreatQ Platform as well as ThreatQ Data Exchange (TQX), and ThreatQ TDR Orchestrator (TQO). This allows you to track activities such as logins/logouts and configuration updates, and to export these logs securely to your SIEM or Syslog Server. 

Configuring Audit Log Exports

To begin exporting your audit log to your SIEM or Syslog Server, you must have the following information available: syslog hostname, syslog port, path to client certificate, and path to client private key:

• For hosted customers, open a Support ticket with that information so that ThreatQuotient can configure your system.
• On premise customers will need to upgrade to the latest version of TQAdmin and use TQAdmin to configure Audit Log Exports. See the TQAdmin Configuration section of the Help Center for more details.

Tips and Tricks

• You can access the audit log from /var/log/threatq/audit.log.
• For logged password updates, the password value is redacted.
• Audit Log timestamps use the following format: yyyy-mm-ddThh:mm:ss+z
• For failed actions, the audit log entry includes the reason for the failure.
• The following information if the source of an action (e.g. ThreatQ user) has been authenticated via HTTP:
  • URL
  • HTTP method
  • Server
  • Referrer
  • XFF IP address

Audit Log Entries

See the Audit Log Entries section for a list of system actions that trigger the creation of a log entry as well as a description of the information logged.