Audit Log Format
Audit log events are comma-separated-values (CSV) lists that have the following format:
{TimeStamp,user-id@address:port,Category,EventType,Result,Resource,Details,...} {2009-0305 15:19:27,sftp-elvis@192.2.0.10:22,security,login,success,authentication,,.}
TimeStamp specifies the time that the event was written to the log
Category takes the values: security | configuration | system
EventType takes the values: create | modify | delete | login | logout | data-access | save-config | reboot | acquire-config
Result takes the values: successful | unsuccessful
Resource identifies the configuration element accessed by the user
Details (which is
displayed only in verbose mode) provides fine-grained configuration details
- If EventType = create, details is “New = element added”
- If EventType = modify, details is “Previous = oldValue New = newValue”
- If EventType = delete, details is “Element = deleted element”
- If EventType = data-access, details is “Element = accessed element”
The following lists and describes the actions that generate audit log
events.
- Login—Every login attempt
2009-03-05 17:31:14,sftp-elvis@192.2.0.10:22,security,login, success,authentication,,.
- Logout—Every logout attempt
2009-03-05 18:44:03,sftp-elvis@192.2.0.10:22,security,logout,success,authentication,,.
- save-config—Every
save-config CLI command
2009-03-05 15:45:29,acliConsole-admin@console,configuration, save-config,success,CfgVersion=111,,.
- activate-config—Every
activate-config CLI command
2009-03-05 15:45:36,acliConsole-admin@console,configuration,activate-config,success,RunVersion=111,,.
- DataAccess
- a) attempt to retrieve data using SFTP
- b) attempt to export using ssh-pub-key export
- c) attempt to display security info using show security
- d) attempt to kill a session using kill
2009-03-05 15:25:59,sftp-elvis@192.2.0.10:22,security,data-access, success,code/auditaudit200903051518,,.
- Create
- a) any action that creates a configuration property
- b) any action that
creates a file
2009-03-05 15:45:01,acliConsole-admin@console,configuration,create, success,public-key, Element= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’1’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:45:01> </sshPubKeyRecord
- Modify
- a) any action that
modifies a configuration property
2009-03-05 15:48:01,acliConsole-admin@console,configuration,modify, success,public-key, Previous= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’1’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:45:01> </sshPubKeyRecord New= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’2’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:48:01> </sshPubKeyRecord
- a) any action that
modifies a configuration property
- Delete
- a) any action that deletes a configuration property
- b) any action that
deletes a file
2009-03-05 15:51:39,acliConsole-admin@console,configuration,delete, success,public-key, Element= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’2’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:51:39> </sshPubKeyRecord