Audit Log Format

Audit log events are comma-separated-values (CSV) lists that have the following format:

{TimeStamp,user-id@address:port,Category,EventType,Result,Resource,Details,...}

{2009-0305 15:19:27,sftp-elvis@192.2.0.10:22,security,login,success,authentication,,.}

TimeStamp specifies the time that the event was written to the log

Category takes the values: security | configuration | system

EventType takes the values: create | modify | delete | login | logout | data-access | save-config | reboot | acquire-config

Result takes the values: successful | unsuccessful

Resource identifies the configuration element accessed by the user

Details (which is displayed only in verbose mode) provides fine-grained configuration details

• If EventType = create, details is “New = element added”
• If EventType = modify, details is “Previous = oldValue New = newValue”
• If EventType = delete, details is “Element = deleted element”
• If EventType = data-access, details is “Element = accessed element”

The following lists and describes the actions that generate audit log events.

• Login—Every login attempt

  2009-03-05 17:31:14,sftp-elvis@192.2.0.10:22,security,login,
success,authentication,,. 

• Logout—Every logout attempt

  2009-03-05 18:44:03,sftp-elvis@192.2.0.10:22,security,logout,success,authentication,,. 

• save-config—Every save-config CLI command

  2009-03-05 15:45:29,acliConsole-admin@console,configuration,
save-config,success,CfgVersion=111,,.

• activate-config—Every activate-config CLI command

  2009-03-05 15:45:36,acliConsole-admin@console,configuration,activate-config,success,RunVersion=111,,.

• DataAccess
  • a) attempt to retrieve data using SFTP
  • b) attempt to export using ssh-pub-key export
  • c) attempt to display security info using show security
  • d) attempt to kill a session using kill

  2009-03-05 15:25:59,sftp-elvis@192.2.0.10:22,security,data-access,
success,code/auditaudit200903051518,,.

• Create
  • a) any action that creates a configuration property
  • b) any action that creates a file

    2009-03-05 15:45:01,acliConsole-admin@console,configuration,create,
success,public-key, 
    Element= 
    <?xml version=’1.0’ standalone=’yes’?> 
    <sshPubKeyRecord 
      name=’dummy’ 
      comment=’’ 
      keyType=’2’ 
      encrType=’1’ 
      keySize=’1024’ 
      pubKey=’’ 
      privKey=’’ 
      fingerPrint=’’ 
      fingerPrintRaw=’’ 
      lastModifiedBy=’acmin@console’ 
      lastModifiedDate=’2009-03-05 15:45:01> 
    </sshPubKeyRecord 

• Modify
  • a) any action that modifies a configuration property

    2009-03-05 15:48:01,acliConsole-admin@console,configuration,modify,
success,public-key, 
    Previous= 
    <?xml version=’1.0’ standalone=’yes’?> 
    <sshPubKeyRecord 
      name=’dummy’ 
      comment=’’ 
      keyType=’2’ 
      encrType=’1’ 
      keySize=’1024’ 
      pubKey=’’ 
      privKey=’’ 
      fingerPrint=’’ 
      fingerPrintRaw=’’ 
      lastModifiedBy=’acmin@console’ 
      lastModifiedDate=’2009-03-05 15:45:01> 
    </sshPubKeyRecord 
    
    New= 
    <?xml version=’1.0’ standalone=’yes’?> 
    <sshPubKeyRecord 
      name=’dummy’ 
      comment=’’ 
      keyType=’2’ 
      encrType=’2’ 
      keySize=’1024’ 
      pubKey=’’ 
      privKey=’’ 
      fingerPrint=’’ 
      fingerPrintRaw=’’ 
      lastModifiedBy=’acmin@console’ 
      lastModifiedDate=’2009-03-05 15:48:01> 
    </sshPubKeyRecord 

• Delete
  • a) any action that deletes a configuration property
  • b) any action that deletes a file

    2009-03-05 15:51:39,acliConsole-admin@console,configuration,delete,
success,public-key, 
    Element= 
    <?xml version=’1.0’ standalone=’yes’?> 
    <sshPubKeyRecord 
      name=’dummy’ 
      comment=’’ 
      keyType=’2’ 
      encrType=’2’ 
      keySize=’1024’ 
      pubKey=’’ 
      privKey=’’ 
      fingerPrint=’’ 
      fingerPrintRaw=’’ 
      lastModifiedBy=’acmin@console’ 
      lastModifiedDate=’2009-03-05 15:51:39> 
    </sshPubKeyRecord