Configuring System Logging About Security Audit Logging
19-2
• Changes of security levels or categories of information
• Failed attempts to access restricted privilege level or data files
• Audit file access
• Password changes (actual passwords will not recorded)
When "Security" is set to level 7, the following security audit logs will additionally be generated:
• All CLI commands that are executed. The following information is logged for each command:
– Date and time
– Local IP address
–User
– Source (console, web, SSH or telnet)
– Remote IP address (if SSH, telnet or web)
– The action (command line text)
– Status of command (OK or FAILED)
• Any hidden debug commands entered by the user will be logged.
Trap Generation
When approximately 80% of the maximum security audit logs have been written to the log file, an
SNMP trap will be generated to indicate a high percentage of utilization. Recording to the log file
will continue and wrap back to the beginning when the maximum number of entries has been
recorded. All successive occurrences of reaching 80% of the log file will generate an additional
trap.
The trap generation is done using the Enterasys Syslog Client MIB notification
etsysSyslogSecureLogArchiveNotification.
If, for any reason, an event that is to be sent to the secure log gets dropped, resulting in the failure
to record the event, an SNMP trap will be generated. The trap generation will be done using the
Enterasys Syslog Client MIB notification etsysSyslogSecureLogDroppedMsgNotification.
Format Examples
The following examples illustrate secure log entry formats for different types of events.
• User logs in via console
<164>Apr 21 08:44:13 10.27.12.70-1 USER_MGR[1] User:admin:su logged in from
console
• User logs in via Telnet
<164>Apr 21 08:42:57 10.27.12.70-1 USER_MGR[1] User:admin:su logged in from
10.27.6.118(telnet)
• User sets port speed via console
<167>Apr 21 10:39:19 10.27.12.70-1 CLI_WEB[1] User:admin:su; Source:console;
Action:"set port speed *.*.1 10 "; Status:OK
• User sets port speed via telnet
<167>Apr 21 10:39:39 10.27.12.70-1 CLI_WEB[1] User:admin:su;
Source:10.27.6.118(telnet); Action:"set port speed *.*.2 100"; Status:OK
To Next Page
Loading...
