#############
Audit Logging
#############

**Overview**

Atomic OSSEC (AEO) audit logging tracks user activity, administration, and configuration changes made to the AEO platform.

- Adminisrative User creation, deletion, modification
- User password, and profile changes
- Platform Configuration 
- Asset management activity, including managing FIM, and IDS configurations




1.0 Viewing Audit logs
======================

- Select Reporting
- Select Event Search
- Select atomicorp-audit from the Event Type drop down

.. image:: ../../../images/aeo-auditlog-interface.png


1.1 Exporting Event Search results (JSON, CSV, PDF)
===================================================

From **Reporting → Event Search**, run your query, then use the export options to choose **JSON**, **CSV**, or **PDF**.

- **JSON** and **CSV** download through the browser when the export is ready.
- **PDF** is generated on the hub. When processing completes, open **Reporting → Report History** to view or download the file.

If an export cannot be prepared, try a smaller time range or fewer matching events.


2.0 Audit Log events
====================

Rule ID 16500
--------------

- Level: 0
- Description: Atomicorp: Group rules

Rule ID 16501
--------------

- Level: 3
- Description: Atomicorp Audit: Successful login to Atomic OSSEC

Rule ID 16502
--------------

- Level: 5
- Description: Atomicorp Audit: Logon failure to Atomic OSSEC

Rule ID 16503
--------------

- Level: 7
- Description: Atomicorp Audit: Multiple logon failures to Atomic OSSEC from the same source. (3/60)

Rule ID 16504
--------------

- Level: 2
- Description: Atomicorp Audit: Logon failure to Atomic OSSEC for an unknown user

Rule ID 16505
--------------

- Level: 8
- Description: Atomicorp Audit: Multiple logon failures to Atomic OSSEC for an unknown user from the same source (5/60).

Rule ID 16506
--------------

- Level: 4
- Description: Atomicorp Audit: Successful Administrative login to Atomic OSSEC

Rule ID 16507
--------------

- Level: 2
- Description: Atomicorp Audit: Administrator user management (Add)

Rule ID 16508
--------------

- Level: 3
- Description: Atomicorp Audit: Administrator user management (Add) password length too short

Rule ID 16509
--------------

- Level: 3
- Description: Atomicorp Audit: Administrator user management (Add) Create new user

Rule ID 16510
--------------

- Level: 2
- Description: Atomicorp Audit: Administrator group management (Add)

Rule ID 16511
--------------

- Level: 3
- Description: Atomicorp Audit: Administrator group management (Add) Added group

Rule ID 16512
--------------

- Level: 2
- Description: Atomicorp Audit: Administrator user management (Modify)

Rule ID 16513
--------------

- Level: 4
- Description: Atomicorp Audit: Administrator user management (Modify) granted administrator privileges

Rule ID 16514
--------------

- Level: 2
- Description: Atomicorp Audit: Administrator group management (Remove)

Rule ID 16515
--------------

- Level: 2
- Description: Atomicorp Audit: Administrator user management (Remove)

Rule ID 16516
--------------

- Level: 2
- Description: Atomicorp Audit: User changed profile (Modify)

Rule ID 16517
--------------

- Level: 3
- Description: Atomicorp Audit: User changed profile (Modify) Password changed successfully

Rule ID 16518
--------------

- Level: 3
- Description: Atomicorp Audit: Administrator user management (Modify) changed password for user

Rule ID 16519
--------------

- Level: 2
- Description: Atomicorp Audit: User logged off

Rule ID 16520
--------------

- Level: 2
- Description: Atomicorp Audit: Configuration changed

Rule ID 16521
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management group (Create)

Rule ID 16522
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management group (Rename)

Rule ID 16523
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management group (Remove)

Rule ID 16524
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management Agent (Move)

Rule ID 16525
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management Agent (Remove)

Rule ID 16526
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management configure monitoring (Add)

Rule ID 16527
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management configure monitoring (Remove)

Rule ID 16528
--------------

- Level: 2
- Description: Atomicorp Audit: Asset Management configure FIM (Manage)



