Audit Logs

Certain operations will result in logging entries to the audit log. These entries are added to the log local to the device and are also sent to a Syslog server if configured. The device maintains two local logs: Auditlog and Raslog. The entries related to starting and terminating connections as well as the configuration commands issued are logged in the Auditlog while the rest of the entries are in Raslog. The Auditlog and Raslog can contain up to 1000 entries and the oldest entries are removed as new ones are added when the maximum log size is reached.

All entries from both local logs are sent to the Syslog server.

The entries are displayed in the following format:

Timestamp

Entry Number

 Entry Type Access Method

Device Name

 Event Event Description

2018/09/26-

00:01:43 (GMT)

 [SEC-3111] INFO, SECURITY NONE/root/NONE/None/CLI sw0 Event: TLS SESSION

TLS handshake, Info: Successfully processed TLS

connection . Host=134.141.41.168.

Where:

Timestamp is when an event is recorded in the log.

Entry Number is the item number in the log

Entry type is the type of the audit log item, in this example, an informational entry recorded by a security-related event

Access Method is how this event triggered and the access used for this event, the 5-tuple includes the user name, privilege and how the device is being accessed (e.g., CLI or none if through a protocol transition)

Device Name is the TOE

Event is the security-related trigger for this entry

Event Description contains additional information regarding the event

The log can be displayed from the CLI by: 
device# show logging auditlog
To display the latest logs and specify the number of entries to display, the following command can be used instead:
device# show logging auditlog reverse count 10

CLI Audit

CLI Audit can be enabled using configuration command:

device(config)# logging cli-command

This command causes the TOE to audit all commands administered through the CLI. The audit log generated will contain the command entered by the administrator. Please note that help commands are not audited as well as invalid commands (e.g., incorrect syntax).

Following is a sample CLI log message:

Sample Log Log Description
Aug 14 01:19:07:I:CLI CMD: "fips show " from ssh client 192.168.1.1 <timestamp>: CLI CMD: "<command>" from [console | telnet client <client-ip> | ssh client <client ip>]
9037138-00 Rev AA