About Security Audit Logging
Fixed Switch Configuration Guide 14-7
The secure.log file stored in the secure/logs directory cannot be deleted, edited, or renamed.
Super-users can copy the secure.log file using SCP, SFTP, or TFTP.
By default, security audit logging is disabled. Only a system administrator (super-user) may
enable the security audit logging function, and only a system administrator has the ability to
retrieve, copy, or upload the secure.log file. Security audit logging is enabled or disabled with the
command set logging local.
Security Events Logged
A new logging application identifier, “Security,” has been defined to specify the level of logging
desired. When “Security” is set to level 5, the following security audit logs will be generated:
• Logins and logouts
• Login failures
When “Security” is set to level 6, the following security audit logs will additionally be generated:
• Login banner acceptance
• Excessive logon attempts
• Remote system access
• Changes in privileges or security attributes
• Changes of security levels or categories of information
• Failed attempts to access restricted privilege level or data files
• Audit file access
• Password changes (actual passwords will not recorded)
When “Security” is set to level 7, the following security audit logs will additionally be generated:
• All CLI commands that are executed. The following information is logged for each command:
– Date and time
– Local IP address
–User
– Source (console, web, SSH or telnet)
– Remote IP address (if SSH, telnet or web)
– The action (command line text)
– Status of command (OK or FAILED)
• Any hidden debug commands entered by the user will be logged.
Trap Generation
When approximately 80% of the maximum security audit logs have been written to the log file, an
SNMP trap will be generated to indicate a high percentage of utilization. Recording to the log file
will continue and wrap back to the beginning when the maximum number of entries has been
recorded. All successive occurrences of reaching 80% of the log file will generate an additional
trap.
The trap generation is done using the Enterasys Syslog Client MIB notification
etsysSyslogSecureLogArchiveNotification.
To Next Page
Loading...
Need help?
General