This section provides information on viewing, clearing, and configuring the AUDIT log messages.
To display the saved AUDIT messages, perform the following steps.
Log in to the switch as admin.
Enter the show logging auditlog command at the command line.
You can also display messages in reverse order by using the reverse option.
device# show logging auditlog [...] 701 AUDIT, 2024/05/04-04:39:40 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/134.141.245.254/telnet/cli,, dutA, Event: database commit transaction, Status: Succeeded, User command: "configure config interface tunnel 1001". 702 AUDIT, 2024/05/04-04:49:35 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: logout, Status: success, Info: Successful logout by user [admin]. 703 AUDIT, 2024/05/04-04:50:32 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/134.141.245.254/telnet/CLI,, dutA, Event: login, Status: failed, Info: Failed login attempt through REMOTE, IP Addr: 134.141.245.254. 704 AUDIT, 2024/05/04-04:51:09 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 134.141.245.254. 705 AUDIT, 2024/05/04-05:01:19 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: logout, Status: success, Info: Successful logout by user [admin]. 706 AUDIT, 2024/05/04-16:15:42 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/134.141.219.41/telnet/CLI,, SLX9740-80C, Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 134.141.219.41. 707 AUDIT, 2024/05/04-16:16:41 (GMT), [SEC-3030], INFO, SECURITY, admin/admin/134.141.245.254/telnet/cli,, SLX9740-80C, Event: secCertUtil, Status: success, Info: Deleted certificate - https. 708 AUDIT, 2024/05/04-16:16:51 (GMT), [WEBD-3002], INFO, SECURITY, NONE/root/NONE/None/CLI,, dutA, Event: HTTPS Server, Status: success, Info: HTTPS Server is stopped on all VRFs due to HTTPS Host certificate removal. 709 AUDIT, 2024/05/04-16:16:51 (GMT), [SEC-3131], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: Crypto Ca https, Status: success, Info: Host certificate and Private key, imported via PKCS#12 bundle are now deleted. 710 AUDIT, 2024/05/04-16:19:00 (GMT), [SEC-3030], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, SLX9740-80C, Event: secCertUtil, Status: success, Info: Imported certificate - https.pfx from host 10.20.55.129. 711 AUDIT, 2024/05/04-16:19:00 (GMT), [SEC-3130], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: Crypto Ca https, Status: success, Info: Host certificate and Private key are imported in PKCS#12 file format. 712 AUDIT, 2024/05/04-16:20:39 (GMT), [WEBD-3000], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: HTTP(S) Server, Status: success, Info: HTTP(S) Server instance is started on mgmt-vrf VRF. 713 AUDIT, 2024/05/04-16:20:39 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: database commit transaction, Status: Succeeded, User command: "configure config no http server use-vrf mgmt-vrf shutdown". 714 AUDIT, 2024/05/04-16:21:00 (GMT), [WEBD-3000], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: HTTP(S) Server, Status: success, Info: HTTP(S) Server instance is started on default-vrf VRF. 715 AUDIT, 2024/05/04-16:21:00 (GMT), [DCM-1006], INFO, DCMCFG, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: database commit transaction, Status: Succeeded, User command: "configure config no http server use-vrf default-vrf shutdown". 716 AUDIT, 2024/05/04-16:29:14 (GMT), [TS-1009], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: attempt. 717 AUDIT, 2024/05/04-16:29:14 (GMT), [TS-1010], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: success, Info: from 2024-05-04 16:29:14 to 2024-05-15 23:59:59. 718 AUDIT, 2024/05/16-00:00:46 (GMT), [SEC-3136], WARNING, SECURITY, NONE/NONE/NONE/None/CLI,, dutA, Event: cert expiry , Alert-level:CRITICAL, Certificate Details=[subject= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=10.20.55.129 issuer= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=Extreme Root CA/emailAddress=abalan@extreme.com serial=1000] will expire in 3 days. 719 AUDIT, 2024/05/16-00:03:07 (GMT), [TS-1009], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: attempt. 720 AUDIT, 2024/05/16-00:03:07 (GMT), [TS-1010], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: success, Info: from 2024-05-16 00:03:07 to 2024-04-15 23:59:59. 721 AUDIT, 2024/04/16-00:00:52 (GMT), [SEC-3136], WARNING, SECURITY, NONE/NONE/NONE/None/CLI,, dutA, Event: cert expiry , Alert-level:MINOR, Certificate Details=[subject= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=10.20.55.129 issuer= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=Extreme Root CA/emailAddress=abalan@extreme.com serial=1000] will expire in 33 days. 722 AUDIT, 2024/04/16-00:06:07 (GMT), [TS-1009], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: attempt. 723 AUDIT, 2024/04/16-00:06:07 (GMT), [TS-1010], INFO, SECURITY, admin/admin/134.141.219.41/telnet/cli,, dutA, Event: change time: success, Info: from 2024-04-16 00:06:07 to 2024-04-25 23:59:59. 724 AUDIT, 2024/04/26-00:00:53 (GMT), [SEC-3136], WARNING, SECURITY, NONE/NONE/NONE/None/CLI,, dutA, Event: cert expiry , Alert-level:MAJOR, Certificate Details=[subject= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=10.20.55.129 issuer= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=Extreme Root CA/emailAddress=abalan@extreme.com serial=1000] will expire in 23 days. 725 AUDIT, 2024/04/26-00:15:51 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/134.141.219.41/telnet/CLI,, SLX9740-80C, Event: logout, Status: success, Info: Successful logout by user [admin]. 726 AUDIT, 2024/04/27-00:00:02 (GMT), [SEC-3136], WARNING, SECURITY, NONE/NONE/NONE/None/CLI,, dutA, Event: cert expiry , Alert-level:INFO, Certificate Details=[subject= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=10.20.55.129 issuer= /C=IN/ST=CHENNAI/L=Madras/O=Extreme/OU=HCL/CN=Extreme Root CA/emailAddress=abalan@extreme.com serial=1000] will expire in 22 days. 727 AUDIT, 2024/04/27-02:32:59 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 134.141.245.254. 728 AUDIT, 2024/04/27-02:48:30 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: logout, Status: success, Info: Successful logout by user [admin]. 729 AUDIT, 2024/04/27-02:48:40 (GMT), [SEC-3020], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 134.141.245.254. 730 AUDIT, 2024/04/27-03:15:52 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/134.141.245.254/telnet/CLI,, SLX9740-80C, Event: logout, Status: success, Info: Successful logout by user [admin]. [...]
To clear the AUDIT log messages for a particular switch instance, perform the following steps.
Log in to the switch as admin.
The AUDIT log classes SECURITY, CONFIGURATION, and FIRMWARE are enabled by default. You can enable or disable auditing of these classes by using the logging auditlog class class command.
To configure and verify the event auditing, perform the following steps.
device# configure terminal Entering configuration mode terminal
Configure the event classes you want to audit. For example, to audit the CONFIGURATON class, enter the following command.
device(config)# logging auditlog class CONFIGURATION
device# show running-config logging auditlog class logging auditlog class CONFIGURATION