Overview

The audit log records creation, modification, and deletion of all user-accessible configuration elements, access to critical security data such as public keys. For each logged event it provides associated user-id, date, time, event type, and success/failure data for each event. As a result, the log supports after the fact investigation of loss or impropriety, and appropriate management response. Only admin-level users have audit log access. These users can retrieve, read, copy, and upload the audit log. The original log cannot be deleted or edited by any operator action.

The audit log is transferred to a previously configured SFTP server or servers when one of three specified conditions is satisfied.

1. A configurable amount of time has elapsed since the last transfer.
2. The size of the audit log (measured in Megabytes) has reached a configured threshold.
3. The size of the audit log has reached a configured percentage of the allocated storage space.

   The audit log file is stored on the target SFTP server or servers with a filename that takes the format:

   <hostname>-audit<timestamp>

   Where:

   • <hostname> is the name of the host to which the log gets sent.
   • <timestamp> is a 12-digit string that takes the format YYYYMMDDHHMM.

   myhost-audit-200903051630

   Names an audit log file transferred to an SFTP server named 'myhost' on March 5, 2009 at 4:30 PM.