DCMCFG audits all the configuration changes in DB. FIRMWARE audit the events occurring during firmware download process. SECURITY audit any user-initiated security event for all management interfaces. Audit log messages are saved in the persistent storage. The storage has a limit of 1024 entries and will wrap around if the number of messages exceed the limit.
The SLX device can be configured to stream Audit messages to the specified syslog servers. Audit log messages are not forwarded to SNMP management stations.
Following are few sample outputs.
device(config)# sflow polling-interval 25 2016/06/02-08:48:39, [SFLO-1004], 1067, M1 | Active | DCE, INFO, MMVM, Global sFlow polling interval is changed to 25. 2016/06/02-08:48:39, [SFLO-1006], 1068, M1 | Active | DCE, INFO, MMVM, sFlow polling interval on port Ethernet 1/14 is changed to 25.
device# show logging auditlog reverse count 2 394 AUDIT,2016/06/02-08:48:39 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/127.0.0.1/console/cli,, SLX9850-4, Event: database commit transaction, Status: Succeeded, User command: "configure config sflow polling-interval 25". 393 AUDIT,2016/06/02-08:40:57 (GMT), [SEC-3022], INFO, SECURITY, root/root/172.22.224.196/telnet/CLI,, MMVM, Event: logout, Status: success, Info: Successful logout by user [root].
For more information on AuditLog messages, refer to the Extreme SLX-OS Message Reference .
When logging off a SSH session that uses <RSA 4096>, the audit log entry will display 127.0.0.1 (localhost) instead of the IP address of the device used to login.