Auditable Events

Introduction

This document provides a overview of auditable events within the system. Auditable events are categorized into different groups based on the type of event, making it easier to manage and understand the events. Each individual event that is produced by the system is represented by a unique Event ID.

Auditable events play a crucial role in maintaining the security and integrity of the system. They provide a detailed record of significant actions and changes, which can be used for various purposes, including:

  • Security Monitoring: Tracking login attempts, configuration changes, and other critical actions to detect and respond to potential security threats.
  • Compliance: Ensuring that the system adheres to regulatory requirements by maintaining a detailed audit trail of all significant events.
  • Troubleshooting: Providing a historical record of events that can be used to diagnose and resolve issues within the system.
  • Accounting: Keeping track of user activities and system changes to ensure accountability and transparency.

This document also details the format of syslog messages generated for audit events, the configuration options available for managing audit event logging, and the operational commands for viewing and managing the audit log.

Related Examples and Use-Cases

Overview

Auditable Event Categories

The auditable events are categorized into different categories, based on the type of the event. The categories are used to group the events into logical groups, making it easier to manage and understand the events. Each individual Event ID will always be associated with a specific category, based on how the Event ID is constructed.

The entire Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category. The following categories are available:

Category ID Category Name Description
0x1000 Access Control Events related to access control, such as login, logout, authentication, etc.
0x2000 Request Error Events related to errors in requests, such as invalid requests, unauthorized requests, etc.
0x3000 Control System Event Events related to the control system, such as link up, link down, system reboot, etc.
0x4000 Backup Restore Event Events related to backup and restore operations, such as storing of configuration, etc.
0x5000 Configuration Change Events related to configuration changes, such as specific configuration changes to the system.
0x5100 Configuration Transaction Events related to configuration transactions, such as configuration commit, rollback, etc.
0x6000 Audit Log Event Events related to the audit log, such as audit log display, audit log clear, etc.

Table 1: Auditable Event Categories

Possibly Subject to Change

Since this is a very new addition to the system, it is possible that changes will be made to the Categories in the upcoming releases. The intention is to keep the Categories as stable as possible, but because more changes may be needed early on, it is possible that they will be changed.

Auditable Event Types

Each auditable event is represented by a unique Event ID. The Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category.

The Event ID is constructed in the following manner:

+-----------------+-----------------+-----------------+
| Category        | Main ID         | Sub ID          |
+-----------------+-----------------+-----------------+
| 0xffff          | 0xffffffff      | 0xffff          |
+-----------------+-----------------+-----------------+

As can be seen, the Event ID is divided into three parts:

  • Category: The upper 16 bits are used to specify the category of the event. This is the exact values defined in the Auditable Event Categories section. Therefore, no Event ID can exist that does not have a valid category, i.e. the initial part of the Event ID will always be a valid category. Therefore, it is always possible to determine the category of an Event ID by looking at the upper 16 bits.

  • Main ID: The next 32 bits are used to specify the main ID of the event.

  • Sub ID: The lower 16 bits are used to specify the sub ID of the event. This can be used to further specify an event that is part of a larger category.

As an example, if we take the following Event ID 0x1000000000010010 which represents a successful console login event, we can break it down as follows:

  • Category: 0x1000 which corresponds to the Access Control category.
  • Main ID: 0x000000000010 which is the main ID of the event.
  • Sub ID: 0x0010 which is the sub ID of the event.

Possibly Subject to Change

Since this is a very new addition to the system, it is possible that changes will be made to the Event IDs in the upcoming releases. The intention is to keep the Event IDs as stable as possible, but because more changes may be needed early on, it is possible that they will be changed.

However, if changes are made to existing events in the future, the aim is to retire any existing Event IDs, so that they will not be reused for new events. This way, the Event IDs will always be unique, and will not be reused for different events.

Access Control Events

The following Event IDs are available for the Access Control category:

Event ID Event Name Description
0x1000000000010010 Access Control - Console login Success Successful console login event.
0x1000000000010011 Access Control - Console login Exit Console login exit event.
0x1000000000010012 Access Control - Console login Failure Failed console login attempt.
0x1000000000010013 Access Control - Suspicious Console login Success Suspicious console login success event, such as a user providing suspicious credentials.
0x1000000000010014 Access Control - Suspicious Console login Failure Suspicious console login failure event, such as a user providing suspicious credentials.
0x1000000000010020 Access Control - SSH login Success Successful SSH login event.
0x1000000000010021 Access Control - SSH login Exit SSH login exit event.
0x1000000000010022 Access Control - SSH login Failure Failed SSH login attempt.
0x1000000000010023 Access Control - Suspicious SSH login Success Suspicious SSH login success event, such as a user providing suspicious credentials.
0x1000000000010024 Access Control - Suspicious SSH login Failure Suspicious SSH login failure event, such as a user providing suspicious credentials.
0x1000000000010030 Access Control - Web login Success Successful web login event.
0x1000000000010031 Access Control - Web login Exit Web login exit event.
0x1000000000010032 Access Control - Web login Failure Failed web login attempt.
0x1000000000010033 Access Control - Suspicious Web login Success Suspicious web login success event, such as a user providing suspicious credentials.
0x1000000000010034 Access Control - Suspicious Web login Failure Suspicious web login failure event, such as a user providing suspicious credentials.
0x1000000000010040 Access Control - Telnet login Success Successful Telnet login event.
0x1000000000010041 Access Control - Telnet login Exit Telnet login exit event.
0x1000000000010042 Access Control - Telnet login Failure Failed Telnet login attempt.
0x1000000000010043 Access Control - Suspicious Telnet login Success Suspicious Telnet login success event, such as a user providing suspicious credentials.
0x1000000000010044 Access Control - Suspicious Telnet login Failure Suspicious Telnet login failure event, such as a user providing suspicious credentials.
0x1000000000010050 Access Control - Other login Success Successful other login event.
0x1000000000010051 Access Control - Other login Exit Other login exit event.
0x1000000000010052 Access Control - Other login Failure Failed other login attempt.
0x1000000000010053 Access Control - Suspicious Other login Success Suspicious other login success event, such as a user providing suspicious credentials.
0x1000000000010054 Access Control - Suspicious Other login Failure Suspicious other login failure event, such as a user providing suspicious credentials.
0x1000000000020000 Access Control - SNMPv3 Access Success Successful SNMPv3 access event.
0x1000000000020001 Access Control - SNMPv3 Access Failure Failed SNMPv3 access attempt.
0x1000000000020002 Access Control - SNMPv3 Engine ID Failure SNMPv3 engine ID failure event.
0x1000000000020003 Access Control - SNMPv2 Access Success Successful SNMPv2 access event.
0x1000000000020004 Access Control - SNMPv2 Access Failure Failed SNMPv2 access attempt.
0x1000000000020005 Access Control - SNMP Command Success Successful SNMP command event.
0x1000000000020006 Access Control - SNMP Command Failure Failed SNMP command attempt.
0x1000000000030000 Access Control - Enter CLI Shell Entered CLI shell event.
0x1000000000030001 Access Control - Exit CLI Shell Exited CLI shell event.

Table 2: Access Control Events

Request Error Events

The following Event IDs are available for the Request Error category:

Event ID Event Name Description
0x2000000000010000 Request Error - Unauthorized CLI Command Unauthorized CLI command attempt.
0x2000000000020000 Request Error - SNMP OID Request Success Successful SNMP OID request.
0x2000000000020001 Request Error - SNMP OID Request Failure Failed SNMP OID request.
0x2000000000030000 Request Error - Unauthorized SSH User Unauthorized SSH user attempt.
0x2000000000030001 Request Error - Unauthorized Web User Unauthorized web user attempt.
0x2000000000030002 Request Error - Unauthorized Console User Unauthorized console user attempt.

Table 3: Request Error Events

Control System Events

The following Event IDs are available for the Control System Event category:

Event ID Event Name Description
0x3000000000010001 Control System Event - Service Start Service start event.
0x3000000000010002 Control System Event - Service Stop Service stop event.
0x3000000000010003 Control System Event - Service Restart Service restart event.
0x3000000000010004 Control System Event - Service Died Service died event.
0x3000000000010005 Control System Event - Service Crash Service crash event.
0x3000000000010006 Control System Event - Service Crash Restart Service crash restart event.
0x3000000000020001 Control System Event - Link Up Link up event.
0x3000000000020002 Control System Event - Link Down Link down event.
0x3000000000030001 Control System Event - System Boot System boot event.
0x3000000000030002 Control System Event - System Startup System startup event.
0x3000000000030003 Control System Event - System Operational System operational event.
0x3000000000030004 Control System Event - System Shutdown System shutdown event.
0x3000000000030005 Control System Event - System Upgrade System upgrade event.
0x3000000000040000 Control System Event - ECSC Communication Established ECSC communication established event.
0x3000000000040001 Control System Event - TTDP Stack Ready TTDP stack ready event.
0x3000000000050002 Control System Event - DHCP Client Lease Deconfig DHCP client lease deconfig event.
0x3000000000050003 Control System Event - DHCP Client Lease Renew DHCP client lease renew event.
0x3000000000050004 Control System Event - DHCP Client Lease Bound DHCP client lease bound event.
0x3000000000050005 Control System Event - DHCP Client Received NAK DHCP client received NAK event.
0x3000000000050006 Control System Event - DHCP Client Lease Failed DHCP client lease failed event.
0x3000000000050100 Control System Event - DHCP Server Discover DHCP server discover event.
0x3000000000050101 Control System Event - DHCP Server Offer DHCP server offer event.
0x3000000000050102 Control System Event - DHCP Server Request DHCP server request event.
0x3000000000050103 Control System Event - DHCP Server Acknowledge DHCP server acknowledge event.
0x3000000000050104 Control System Event - DHCP Server Release DHCP server release event.
0x3000000000050105 Control System Event - DHCP Server NAK DHCP server NAK event.
0x3000000000050106 Control System Event - DHCP Server Decline DHCP server decline event.
0x3000000000050107 Control System Event - DHCP Server Inform DHCP server inform event.
0x3000000000050108 Control System Event - DHCP Server No Address Available DHCP server no address available event.
0x3000000000060001 Control System Event - Configuration Changed Configuration changed event.
0x3000000000070001 Control System Event - Enter Maintenance Mode Enter maintenance mode event.
0x3000000000070002 Control System Event - Exit Maintenance Mode Exit maintenance mode event.
0x3000000000080000 Control System Event - MRP Ring OK MRP ring OK event.
0x3000000000080001 Control System Event - MRP Ring Broken MRP ring broken event.
0x3000000000090000 Control System Event - NTP Clock Synchronized NTP clock synchronized event.
0x3000000000090001 Control System Event - NTP Update Failed NTP update failed event.
0x30000000000a0000 Control System Event - FRNT Ring OK FRNT ring OK event.
0x30000000000a0001 Control System Event - FRNT Ring Broken FRNT ring broken event.
0x30000000000b0000 Control System Event - Duplicate IP Address Duplicate IP address event.
0x30000000000b0001 Control System Event - Duplicate MAC Address Duplicate MAC address event.
0x30000000000b0002 Control System Event - ARP New Entry ARP new entry event.
0x30000000000b0003 Control System Event - ARP Entry Changed ARP entry changed event.
0x30000000000b0004 Control System Event - ARP Entry Flip Flop ARP entry flip flop event.
0x30000000000c0000 Control System Event - RICO Port State Change RICO port state change event.
0x30000000000d0000 Control System Event - ATU Full Violation ATU full violation event.
0x30000000000e0000 Control System Event - Unknown IPv4 Route Install Unknown IPv4 route install event.
0x30000000000e0001 Control System Event - Unknown IPv4 Route Delete Unknown IPv4 route delete event.
0x30000000000e0002 Control System Event - Kernel IPv4 Route Install Kernel IPv4 route install event.
0x30000000000e0003 Control System Event - Kernel IPv4 Route Delete Kernel IPv4 route delete event.
0x30000000000e0004 Control System Event - Connected IPv4 Route Install Connected IPv4 route install event.
0x30000000000e0005 Control System Event - Connected IPv4 Route Delete Connected IPv4 route delete event.
0x30000000000e0006 Control System Event - Static IPv4 Route Install Static IPv4 route install event.
0x30000000000e0007 Control System Event - Static IPv4 Route Delete Static IPv4 route delete event.
0x30000000000e0008 Control System Event - RIP IPv4 Route Install RIP IPv4 route install event.
0x30000000000e0009 Control System Event - RIP IPv4 Route Delete RIP IPv4 route delete event.
0x30000000000e000a Control System Event - OSPF IPv4 Route Install OSPF IPv4 route install event.
0x30000000000e000b Control System Event - OSPF IPv4 Route Delete OSPF IPv4 route delete event.
0x30000000000e000c Control System Event - Kernel IPv6 Route Install Kernel IPv6 route install event.
0x30000000000e000d Control System Event - Kernel IPv6 Route Delete Kernel IPv6 route delete event.
0x30000000000e000e Control System Event - Connected IPv6 Route Install Connected IPv6 route install event.
0x30000000000e000f Control System Event - Connected IPv6 Route Delete Connected IPv6 route delete event.
0x30000000000e0010 Control System Event - Static IPv6 Route Install Static IPv6 route install event.
0x30000000000e0011 Control System Event - Static IPv6 Route Delete Static IPv6 route delete event.
0x30000000000e0012 Control System Event - RIP IPv6 Route Install RIP IPv6 route install event.
0x30000000000e0013 Control System Event - RIP IPv6 Route Delete RIP IPv6 route delete event.
0x30000000000e0014 Control System Event - OSPF IPv6 Route Install OSPF IPv6 route install event.
0x30000000000e0015 Control System Event - OSPF IPv6 Route Delete OSPF IPv6 route delete event.
0x30000000000e0016 Control System Event - Unknown IPv6 Route Install Unknown IPv6 route install event.
0x30000000000e0017 Control System Event - Unknown IPv6 Route Delete Unknown IPv6 route delete event.
0x30000000000e0018 Control System Event - Multicast IPv4 Route Install Multicast IPv4 route install event.
0x30000000000e0019 Control System Event - Multicast IPv4 Route Delete Multicast IPv4 route delete event.
0x30000000000f0000 Control System Event - Link Alarm Actived Link alarm activated event.
0x30000000000f0001 Control System Event - Link Alarm Deactived Link alarm deactivated event.
0x30000000000f0002 Control System Event - Temp Alarm Actived Temperature alarm activated event.
0x30000000000f0003 Control System Event - Temp Alarm Deactived Temperature alarm deactivated event.
0x30000000000f0004 Control System Event - Power Alarm Actived Power alarm activated event.
0x30000000000f0005 Control System Event - Power Alarm Deactived Power alarm deactivated event.
0x30000000000f0006 Control System Event - Digin Alarm Actived Digital input alarm activated event.
0x30000000000f0007 Control System Event - Digin Alarm Deactived Digital input alarm deactivated event.
0x30000000000f0008 Control System Event - Ping Alarm Actived Ping alarm activated event.
0x30000000000f0009 Control System Event - Ping Alarm Deactived Ping alarm deactivated event.
0x30000000000f000a Control System Event - FRNT Alarm Actived FRNT alarm activated event.
0x30000000000f000b Control System Event - FRNT Alarm Deactived FRNT alarm deactivated event.
0x30000000000f000c Control System Event - Ring Alarm Actived Ring alarm activated event.
0x30000000000f000d Control System Event - Ring Alarm Deactived Ring alarm deactivated event.
0x30000000000f000e Control System Event - Profinet Alarm Actived Profinet alarm activated event.
0x30000000000f000f Control System Event - Profinet Alarm Deactived Profinet alarm deactivated event.
0x30000000000f0010 Control System Event - POE Alarm Actived POE alarm activated event.
0x30000000000f0011 Control System Event - POE Alarm Deactived POE alarm deactivated event.
0x30000000000f0012 Control System Event - RICO Alarm Actived RICO alarm activated event.
0x30000000000f0013 Control System Event - RICO Alarm Deactived RICO alarm deactivated event.
0x30000000000f0014 Control System Event - Media Threshold Alarm Actived Media threshold alarm activated event.
0x30000000000f0015 Control System Event - Media Threshold Alarm Deactived Media threshold alarm deactivated event.
0x30000000000f0016 Control System Event - Media Plug Alarm Actived Media plug alarm activated event.
0x30000000000f0017 Control System Event - Media Plug Alarm Deactived Media plug alarm deactivated event.
0x3000000000100000 Control System Event - Media Plugged In Media plugged in event.
0x3000000000100001 Control System Event - Media Removed Media removed event.
0x3000000000100002 Control System Event - Media Mounted Media mounted event.
0x3000000000100003 Control System Event - Media Unmounted Media unmounted event.
0x3000000000100004 Control System Event - Media Mount Failed Media mount failed event.
0x3000000000110000 Control System Event - Firewall Allow Rule Hit Firewall allow rule hit event.
0x3000000000110001 Control System Event - Firewall Deny Rule Hit Firewall deny rule hit event.

Table 4: Control System Events

Note that this simply lists what can be logged, what is logged is dependent on the configuration of the system. For instance, no audit events will be generated related to DHCP server if no DHCP server is configured.

Backup Restore Events

The following Event IDs are available for the Backup Restore Event category:

Event ID Event Name Description
0x4000000000010000 Backup Restore - Update Running Configuration Update the running configuration.
0x4000000000020000 Backup Restore - Read Config File Read the configuration file.
0x4000000000020001 Backup Restore - Read Config File Error Error reading the configuration file.
0x4000000000020002 Backup Restore - Read Config File Error - JSON JSON error while reading the configuration file.
0x4000000000020003 Backup Restore - Read Config File Error - No Exist Configuration file does not exist.
0x4000000000030000 Backup Restore - Validate Config File Validate the configuration file.
0x4000000000040000 Backup Restore - Write Config File Write the configuration file.
0x4000000000040001 Backup Restore - Write Config File Error Error writing the configuration file.
0x4000000000040002 Backup Restore - Write Config File Error - JSON JSON error while writing the configuration file.
0x4000000000050000 Backup Restore - Copied Config File - CLI Configuration file copied via CLI.
0x4000000000060000 Backup Restore - Verify Config File Encryption Verify the encryption of the configuration file.
0x4000000000070000 Backup Restore - Support File Generated Support file generated.

Table 5: Backup Restore Events

Configuration Change Events

The following Event IDs are available for the Configuration Change category:

Event ID Event Name Description
0x5000000000020000 Configuration Change - LLDP LLDP configuration change.
0x5000000000020001 Configuration Change - LLDP Port LLDP port configuration change.
0x5000000000030000 Configuration Change - DHCP Server DHCP server configuration change.
0x5000000000030001 Configuration Change - DHCP Server Subnet DHCP server subnet configuration change.
0x5000000000030002 Configuration Change - DHCP Server Host DHCP server host configuration change.
0x5000000000030003 Configuration Change - DHCP Server Route DHCP server route configuration change.
0x5000000000030004 Configuration Change - DHCP Server Host Match DHCP server host match configuration change.
0x5000000000030005 Configuration Change - DHCP Server Static Leases DHCP server static leases configuration change.
0x5000000000040000 Configuration Change - SSH SSH configuration change.
0x5000000000050000 Configuration Change - Telnet Telnet configuration change.
0x5000000000060000 Configuration Change - Port Port configuration change.
0x5000000000060001 Configuration Change - Ethernet Port Ethernet port configuration change.
0x5000000000070000 Configuration Change - Ownership Ownership configuration change.
0x5000000000080000 Configuration Change - System System configuration change.
0x5000000000090000 Configuration Change - TFTP TFTP configuration change.
0x50000000000a0000 Configuration Change - DNS DNS configuration change.
0x50000000000a0001 Configuration Change - DNS Forward Rule DNS forward rule configuration change.
0x50000000000a0002 Configuration Change - DNS Server DNS server configuration change.
0x50000000000a0003 Configuration Change - DNS Host DNS host configuration change.
0x50000000000a0004 Configuration Change - DNS Search Path DNS search path configuration change.
0x50000000000b0000 Configuration Change - NTP NTP configuration change.
0x50000000000b0001 Configuration Change - NTP Client NTP client configuration change.
0x50000000000c0000 Configuration Change - WEB WEB configuration change.
0x50000000000c0001 Configuration Change - HTTP HTTP configuration change.
0x50000000000c0002 Configuration Change - HTTPS HTTPS configuration change.
0x50000000000d0000 Configuration Change - RSTP RSTP configuration change.
0x50000000000d0001 Configuration Change - RSTP Port RSTP port configuration change.
0x50000000000e0000 Configuration Change - FRNT FRNT configuration change.
0x50000000000e0001 Configuration Change - FRNT Port FRNT port configuration change.
0x50000000000f0000 Configuration Change - ICMP ICMP configuration change.
0x5000000000100000 Configuration Change - Management Management configuration change.
0x5000000000110000 Configuration Change - Password Password configuration change.
0x5000000000120000 Configuration Change - VRRP VRRP configuration change.
0x5000000000120001 Configuration Change - VRRP Trigger VRRP trigger configuration change.
0x5000000000120002 Configuration Change - VRRP Instance VRRP instance configuration change.
0x5000000000120003 Configuration Change - VRRP Group VRRP group configuration change.
0x5000000000130000 Configuration Change - RIP Interface RIP interface configuration change.
0x5000000000130001 Configuration Change - RIP Interface MD5 RIP interface MD5 configuration change.
0x5000000000130002 Configuration Change - RIP Interface Secret RIP interface secret configuration change.
0x5000000000130003 Configuration Change - RIP Interface Auth RIP interface auth configuration change.
0x5000000000140000 Configuration Change - RIP RIP configuration change.
0x5000000000140001 Configuration Change - RIP Network RIP network configuration change.
0x5000000000150000 Configuration Change - OSPF Interface OSPF interface configuration change.
0x5000000000150001 Configuration Change - OSPF Interface MD5 OSPF interface MD5 configuration change.
0x5000000000150002 Configuration Change - OSPF Interface Secret OSPF interface secret configuration change.
0x5000000000150003 Configuration Change - OSPF Interface Auth OSPF interface auth configuration change.
0x5000000000160000 Configuration Change - OSPF OSPF configuration change.
0x5000000000160001 Configuration Change - OSPF Network OSPF network configuration change.
0x5000000000160002 Configuration Change - OSPF Area OSPF area configuration change.
0x5000000000160003 Configuration Change - OSPF Timers OSPF timers configuration change.
0x5000000000160004 Configuration Change - OSPF Redistribute OSPF redistribute configuration change.
0x5000000000160005 Configuration Change - OSPF Distribute Default OSPF distribute default configuration change.
0x5000000000170000 Configuration Change - PIM Interface PIM interface configuration change.
0x5000000000180000 Configuration Change - PIM PIM configuration change.
0x5000000000180001 Configuration Change - PIM Rendezvous Point PIM rendezvous point configuration change.
0x5000000000180002 Configuration Change - PIM Policy PIM policy configuration change.
0x5000000000180003 Configuration Change - PIM SSM Prefix PIM SSM prefix configuration change.
0x5000000000190000 Configuration Change - Interface Interface configuration change.
0x5000000000190001 Configuration Change - Interface IPv4 Interface IPv4 configuration change.
0x5000000000190002 Configuration Change - Interface IPv4 Address Interface IPv4 address configuration change.
0x5000000000190003 Configuration Change - Interface IPv6 Interface IPv6 configuration change.
0x50000000001a0000 Configuration Change - IP IP configuration change.
0x50000000001a0001 Configuration Change - IP Route IP route configuration change.
0x50000000001a0002 Configuration Change - IP Multicast Route IP multicast route configuration change.
0x50000000001a0003 Configuration Change - IP NAT IP NAT configuration change.
0x50000000001a0004 Configuration Change - Policy Route Match Ip Policy route match IP configuration change.
0x50000000001a0005 Configuration Change - IP Policy Route Match IP policy route match configuration change.
0x50000000001a0006 Configuration Change - IP Policy Route IP policy route configuration change.
0x50000000001b0000 Configuration Change - Firewall Firewall configuration change.
0x50000000001b0001 Configuration Change - Firewall Network Firewall network configuration change.
0x50000000001b0002 Configuration Change - Firewall Rule Firewall rule configuration change.
0x50000000001b0003 Configuration Change - Firewall Counter Firewall counter configuration change.
0x50000000001b0004 Configuration Change - Firewall Log Firewall log configuration change.
0x50000000001c0000 Configuration Change - PoE PoE configuration change.
0x50000000001c0001 Configuration Change - PoE Port PoE port configuration change.
0x50000000001d0000 Configuration Change - AAA AAA configuration change.
0x50000000001d0001 Configuration Change - AAA User SSH Key AAA user SSH key configuration change.
0x50000000001d0002 Configuration Change - AAA User AAA user configuration change.
0x50000000001d0003 Configuration Change - AAA Local User AAA local user configuration change.
0x50000000001d0004 Configuration Change - AAA Local Database AAA local database configuration change.
0x50000000001d0005 Configuration Change - AAA Remote Server AAA remote server configuration change.
0x50000000001d0006 Configuration Change - AAA Server Group AAA server group configuration change.
0x50000000001d0007 Configuration Change - AAA Server AAA server configuration change.
0x50000000001d0008 Configuration Change - AAA Method AAA method configuration change.
0x50000000001d0009 Configuration Change - AAA MAC Pattern AAA MAC pattern configuration change.
0x50000000001d000a Configuration Change - AAA Authentication AAA authentication configuration change.
0x50000000001d000b Configuration Change - AAA 802.1x Auth Groups AAA 802.1x auth groups configuration change.
0x50000000001d000c Configuration Change - AAA MAC Auth Groups AAA MAC auth groups configuration change.
0x50000000001d000d Configuration Change - AAA Login Auth Groups AAA login auth groups configuration change.
0x50000000001d000e Configuration Change - AAA Password Policy AAA password policy configuration change.
0x50000000001d000f Configuration Change - AAA Lockout Policy AAA lockout policy configuration change.
0x50000000001e0000 Configuration Change - SSL SSL configuration change.
0x50000000001e0001 Configuration Change - SSL Network SSL network configuration change.
0x50000000001e0002 Configuration Change - SSL Pool Range SSL pool range configuration change.
0x50000000001e0003 Configuration Change - SSL Internal Route SSL internal route configuration change.
0x50000000001e0004 Configuration Change - SSL Client Config SSL client configuration change.
0x50000000001f0000 Configuration Change - Generic Routing Encap Generic routing encapsulation configuration change.
0x5000000000200000 Configuration Change - Audit Logging Audit logging configuration change.
0x5000000000210000 Configuration Change - IPSec IPSec configuration change.
0x5000000000210001 Configuration Change - IPSec Remote CA IPSec remote CA configuration change.
0x5000000000210002 Configuration Change - IPSec Protocol Port IPSec protocol port configuration change.
0x5000000000220000 Configuration Change - Tunnel Tunnel configuration change.
0x5000000000220001 Configuration Change - SSL Tunnel SSL tunnel configuration change.
0x5000000000220002 Configuration Change - GRE Tunnel GRE tunnel configuration change.
0x5000000000220003 Configuration Change - IPSec Tunnel IPSec tunnel configuration change.
0x5000000000230000 Configuration Change - IPv6 IPv6 configuration change.
0x5000000000230001 Configuration Change - IPv6 Route IPv6 route configuration change.
0x5000000000240000 Configuration Change - PTP PTP configuration change.
0x5000000000240001 Configuration Change - PTP Clock PTP clock configuration change.
0x5000000000240002 Configuration Change - PTP Parameters PTP parameters configuration change.
0x5000000000250000 Configuration Change - TTDP TTDP configuration change.
0x5000000000250001 Configuration Change - TTDP ECN TTDP ECN configuration change.
0x5000000000250002 Configuration Change - TTDP Multicast Route TTDP multicast route configuration change.
0x5000000000250003 Configuration Change - TTDP Port TTDP port configuration change.
0x5000000000250004 Configuration Change - TTDP Internet TTDP internet configuration change.
0x5000000000260000 Configuration Change - Watchdog Watchdog configuration change.
0x5000000000260001 Configuration Change - Watchdog Monitor Watchdog monitor configuration change.
0x5000000000270000 Configuration Change - VLAN VLAN configuration change.
0x5000000000270001 Configuration Change - VLAN Commons VLAN commons configuration change.
0x5000000000270002 Configuration Change - VLAN dbnum VLAN dbnum configuration change.
0x5000000000280000 Configuration Change - LAG LAG configuration change.
0x5000000000280001 Configuration Change - LAG LACP LAG LACP configuration change.
0x5000000000280002 Configuration Change - LAG TTPD LAG TTPD configuration change.
0x5000000000280003 Configuration Change - LAG Port LAG port configuration change.
0x5000000000290000 Configuration Change - Action Action configuration change.
0x5000000000290001 Configuration Change - Action Interface Action interface configuration change.
0x50000000002a0000 Configuration Change - Trigger Trigger configuration change.
0x50000000002b0000 Configuration Change - Alarm Alarm configuration change.
0x50000000002b0001 Configuration Change - Alarm Trigger Alarm trigger configuration change.
0x50000000002b0002 Configuration Change - Alarm Action Alarm action configuration change.
0x50000000002c0000 Configuration Change - Ring Ring configuration change.
0x50000000002c0001 Configuration Change - Ring Port Ring port configuration change.
0x50000000002c0002 Configuration Change - Ring MRP Ring MRP configuration change.
0x50000000002d0000 Configuration Change - Console Console configuration change.
0x50000000002e0000 Configuration Change - RiCo RiCo configuration change.
0x50000000002e0001 Configuration Change - RiCo Coupling Port RiCo coupling port configuration change.
0x50000000002e0002 Configuration Change - RiCo Subring RiCo subring configuration change.
0x50000000002f0000 Configuration Change - DDNS DDNS configuration change.
0x50000000002f0001 Configuration Change - DDNS Provider DDNS provider configuration change.
0x50000000002f0002 Configuration Change - DDNS Custom Provider DDNS custom provider configuration change.
0x50000000002f0003 Configuration Change - DDNS Builtin Provider DDNS builtin provider configuration change.
0x5000000000300000 Configuration Change - Application Container Application container configuration change.
0x5000000000300001 Configuration Change - Application Container Share Application container share configuration change.
0x5000000000300002 Configuration Change - App Environment Variable App environment variable configuration change.
0x5000000000310000 Configuration Change - SNMP SNMP configuration change.
0x5000000000310001 Configuration Change - SNMP IP Address SNMP IP address configuration change.
0x5000000000310002 Configuration Change - SNMP User SNMP user configuration change.
0x5000000000310003 Configuration Change - SNMP Trap Host SNMP trap host configuration change.
0x5000000000310004 Configuration Change - SNMP Engine ID SNMP engine ID configuration change.
0x5000000000310005 Configuration Change - SNMP Ifindex Persistence SNMP ifindex persistence configuration change.
0x5000000000310006 Configuration Change - SNMP Command SNMP command configuration change.
0x5000000000320000 Configuration Change - Monitor Monitor configuration change.
0x5000000000320004 Configuration Change - Monitor Destination Monitor destination configuration change.
0x5000000000320006 Configuration Change - Monitor Source Monitor source configuration change.
0x5000000000330000 Configuration Change - Serial Port Serial port configuration change.
0x5000000000340000 Configuration Change - Serial Port App Serial port app configuration change.
0x5000000000350000 Configuration Change - GPS GPS configuration change.
0x5000000000360000 Configuration Change - HSR/PRP HSR/PRP configuration change.
0x5000000000360001 Configuration Change - HSR/PRP Statistics HSR/PRP statistics configuration change.
0x5000000000360002 Configuration Change - HSR/PRP Port HSR/PRP port configuration change.
0x5000000000360003 Configuration Change - HSR/PRP Pairing HSR/PRP pairing configuration change.
0x5000000000370000 Configuration Change - Multicast DNS Multicast DNS configuration change.
0x5000000000380000 Configuration Change - VRF VRF configuration change.
0x5000000000390001 Configuration Change - MPTCP MPTCP configuration change.
0x50000000003a0000 Configuration Change - Profinet Profinet configuration change.
0x50000000003b0000 Configuration Change - DHCP Relay DHCP relay configuration change.
0x50000000003b0001 Configuration Change - DHCP Relay Interface DHCP relay interface configuration change.
0x50000000003b0002 Configuration Change - DHCP Relay Server DHCP relay server configuration change.
0x50000000003b0003 Configuration Change - DHCP Relay Option 82 DHCP relay option 82 configuration change.
0x50000000003b0004 Configuration Change - DHCP Relay Port DHCP relay port configuration change.
0x50000000003c0000 Configuration Change - CLI CLI configuration change.
0x50000000003d0000 Configuration Change - SSDP SSDP configuration change.
0x50000000003e0000 Configuration Change - Metrics Metrics configuration change.
0x50000000003f0000 Configuration Change - DOT1X DOT1X configuration change.
0x50000000003f0001 Configuration Change - MAC auth MAC authentication configuration change.
0x50000000003f0002 Configuration Change - Port Access Port access configuration change.
0x5000000000400000 Configuration Change - FDB FDB configuration change.
0x5000000000400001 Configuration Change - FDB MAC FDB MAC configuration change.
0x5000000000400002 Configuration Change - FDB Group FDB group configuration change.
0x5000000000410000 Configuration Change - RNRP RNRP configuration change.
0x5000000000410001 Configuration Change - RNRP Explicit RNRP explicit configuration change.
0x5000000000420000 Configuration Change - Vendor Vendor configuration change.
0x5000000000430000 Configuration Change - Policy Policy configuration change.
0x5000000000430001 Configuration Change - Policy Network Policy network configuration change.
0x5000000000430002 Configuration Change - Policy Rule Policy rule configuration change.
0x5000000000430003 Configuration Change - Policy Port Policy port configuration change.
0x5000000000440000 Configuration Change - AT Command AT command configuration change.
0x5000000000440001 Configuration Change - AT Map AT map configuration change.
0x5000000000440002 Configuration Change - AT Message AT message configuration change.
0x5000000000440003 Configuration Change - AT User Message AT user message configuration change.
0x5000000000450000 Configuration Change - Logging Logging configuration change.
0x5000000000450001 Configuration Change - Logging Source Logging source configuration change.
0x5000000000450002 Configuration Change - Logging Destination Logging destination configuration change.
0x5000000000450003 Configuration Change - Logging Filter Logging filter configuration change.
0x5000000000450004 Configuration Change - Logging Sink Logging sink configuration change.
0x5000000000460000 Configuration Change - TRDP TRDP configuration change.
0x5000000000470000 Configuration Change - Router Router configuration change.
0x5000000000480000 Configuration Change - RiCh RiCh configuration change.
0x5000000000490000 Configuration Change - Factory Reset Factory reset configuration change.
0x5000000000500000 Configuration Change - Encrypted Secrets Encrypted secrets configuration change.
0x5000000000510000 Configuration Change - Provisioning Provisioning configuration change.
0x5000000000520000 Configuration Change - PKI PKI configuration change.

Table 6: Configuration Change Events

These Event IDs are generated to account for any configuration change made to any configurable setting in the system. All events under the cluster 0x5000xxxxxxxxxxxx provide a comprehensive record of configuration changes to any configurable setting in the system.

Referring to the list of auditable Event IDs, various configuration change events can be generated. Instead of having a unique Event ID for every single configuration setting, they are categorized based on the type of setting changed. For example, there are unique Event IDs for changes made to system, interfaces, ports, VLANs, DHCP-Server, etc.

As an example of a configuration change event, consider that we change a few settings under the system configuration, like this:

example:/#> configure
example:/config/#> system
example:/config/system/#> hostname MySwitch
example:/config/system/#> location My Location
example:/config/system/#> contact My Contact
example:/config/system/#> leave
MySwitch:/#>

This should new generate three different audit log entries, with the Event ID representing configuration changes for system, which would be 0x5000000000080000. Therefore, the generated audit log entries would look something like this:

MySwitch:/#> audit
MySwitch:/audit/#> show
╒ Audit log ring buffer, entries 1-3 of 142 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                           │
│209  2025-03-10  Notice          admin          Configuration C...  system: "contact": from 'my       │
│     12:18:44    Security        administrator  System              previous' -> 'My Contact'         │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│208  2025-03-10  Notice          admin          Configuration C...  system: "location": from 'other   │
│     12:18:44    Security        administrator  System              location' -> 'My Location'        │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│207  2025-03-10  Notice          admin          Configuration C...  system: "hostname": from          │
│     12:18:44    Security        administrator  System              'example' -> 'MySwitch'           │
│                                                0x5000000000080000                                    │
└──────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 48 - Navigation: 'a' for previous page, 'd' for next page, 'q' to quit, 'r' to resize

MySwitch:/#>

As we can see they all share the same Event ID, but the message indicates the specific values that were changed. In this case we can see that we changed “contact”, “location”, and “hostname” settings under the system configuration.

Configuration Transaction Events

The following Event IDs are available for the Configuration Transaction category:

Event ID Event Name Description
0x5100000000010000 Configuration Transaction - Start Start of a configuration transaction.
0x5100000000010001 Configuration Transaction - Start - Error Error starting a configuration transaction.
0x5100000000020000 Configuration Transaction - End End of a configuration transaction.
0x5100000000020001 Configuration Transaction - End - Validation Fail Configuration transaction ended with validation failure.
0x5100000000020002 Configuration Transaction - End - Unchanged Configuration transaction ended with no changes.
0x5100000000020003 Configuration Transaction - Activation Activation of a configuration transaction.
0x5100000000020004 Configuration Transaction - End - Error Configuration transaction ended with an error.
0x5100000000030000 Configuration Transaction - Abort Aborted configuration transaction.
0x5100000000040000 Configuration Transaction - Lock Locking a configuration transaction.
0x5100000000050001 Configuration Transaction - Unlock Unlocking a configuration transaction.
0x5100000000060002 Configuration Transaction - Unlock - Error Error unlocking a configuration transaction.

Table 1: Configuration Transaction Events

Audit Log Events

The following Event IDs are available for the Audit Log Event category:

Event ID Event Name Description
0x6000000000010000 Audit Log Event - Display Display audit log.
0x6000000000010001 Audit Log Event - Display Category Display audit log by category.
0x6000000000020000 Audit Log Event - Clear Ring Buffer Clear the audit log ring buffer.
0x6000000000030000 Audit Log Event - Reload wauditd Reload the audit daemon.
0x6000000000040000 Audit Log Event - Export Export the audit log.
0x6000000000050000 Audit Log Event - Search Search the audit log.
0x6000000000060000 Audit Log Event - Time Search Search the audit log by time.
0x6000000000070000 Audit Log Event - Display from Web Display audit log from web interface.

Table 1: Audit Log Events

Syslog Message Format for Auditable Events

For each audit event, a syslog message is by default generated and sent to the any configured logging destinations. For the audit events, the syslog message is formatted as follows:

type="audit"; eventid=<EVENTID>; username=<USERNAME>; userid=<USERID>; userrole=<ROLE>; seqnum=<NUM>; eventidtext="<EVENT_TEXT>"; msg="<MESSAGE>";

The different fields are constructed so that they should be easily parsable. The fields are as follows:

Field Description
type The type of the message, in this case audit, and it will always be audit for audit events.
eventid The unique event ID for the audit event, where <EVENTID> is the hexadecimal representation of the event ID.
username The username of the user that generated the audit event. Where <USERNAME> is the username of the user.
userid The user ID of the user that generated the audit event. Where <USERID> is the user ID of the user, as an integer.
userrole The role of the user that generated the audit event. Where <ROLE> is the role of the user.
seqnum The sequence number of the audit event. Where <NUM> is the sequence number of the event, as an integer.
eventidtext The text representation of the event ID. Where <EVENT_TEXT> is the text representation of the event ID and category.
msg A message that provides additional information about the audit event. Where <MESSAGE> is the specific message for the event.

Example of an actual syslog message generated for an audit event, in this case a Link Up event:

type="audit"; eventid=0x3000000000020001; username=root; userid=0; userrole=system; seqnum=57; eventidtext="Control System Event - Link Up"; msg="port/interface ethX8";

Note on the Syslog Message Format

This is simply the message part of the syslog message, the header part is not included here. For information on the full syslog message format, please refer to the Logging documentation.

Tip

When setting up logging on the device, one aspect is to specify the source of the log messages. When wanting to send log messages that originate from the device a source of type local is configured. In turn, this type can select a number of different local sources, one of them being audit. Therefore, when this local source type is selected, only log messages that fall within these auditable events will be sent to the configured logging destinations.

For more information on setting up logging sources, please refer to the Logging documentation.

If for some reason the syslog messages should not be generated for the auditable events, this can be configured in the CLI. Again, the auditable events will still be generated (unless they too are disabled), but they will not be sent to syslog, they will be stored in the local audit log ring buffer on the device.

Configuration

Configuration options related Audit can be found in the top-level configuration context in the CLI:

example:/#> configure
example:/config/#> audit
example:/config/audit/#>
[no] enable [CATEGORY]

Enable or disable audit event logging

This setting controls whether audit events are logged or not. It is enabled or disabled on a per event category basis.

Default: Enabled, for all categories of audit events.

Example

Enable audit event logging for all categories:

example:/config/audit/#> enable

Disable audit event logging for all categories:

example:/config/audit/#> no enable

Enable audit event logging for a specific category:

example:/config/audit/#> enable access-control

Disable audit event logging for a specific category:

example:/config/audit/#> no enable access-control

Multiple categories can be enabled or disabled at the same time:

example:/config/audit/#> enable access-control request-error

no
Disable audit event logging. If a specific category is provided, only that category will be disabled. If no category is provided, all categories will be disabled.
CATEGORY

Based on the list of available audit event categories, this is the category to enable or disable. If no category is provided, all categories will be enabled or disabled.

TAB Completion

When providing the category, tab completion can be used to list all available categories.

[no] syslog

Enable or disable sending audit log messages to syslog

This setting controls whether audit events are sent to syslog or not.

Note

Auditable event messages are always generated, if enabled, regardless of whether they are sent to syslog or not. On the device itself, they are stored separately from the syslog messages. If the auditable events are to be sent to a logging destination, this setting must be enabled.

Default: Enabled

Example

Enable sending audit log messages to syslog:

example:/config/audit/#> syslog

Disable sending audit log messages to syslog:

example:/config/audit/#> no syslog

no
Disable sending audit log messages to syslog.

Operational Commands

Operational commands related to auditable events can be found in the audit context, located top-level exec context in the CLI:

example:/#> audit
example:/audit/#>
list [eventid | category]

List the audit Categories and EventIDs that exist in the system.

This command will list all of the existing audit event categories and event IDs that can be available for the system.

Note on the Displayed Event IDs

This list shows every possible event ID and category that can be generated by the system. When these events can be generated is dependent on the configuration of the system.

Example

List all available audit event categories and event IDs:

example:/audit/#> list

eventid
List only all available audit event IDs.
category
List only all available audit event categories.
[show] status

Display basic status information about the internal audit ring buffer.

This command will display the current status of the internal audit ring buffer, including the number of entries currently stored in the buffer.

Example

Display the current status of the audit ring buffer:

example:/audit/#> status
AUDIT RING-BUFFER STATUS                                                      
Ring buffer count     : 72
Ring buffer used size : 5.41 KB
Ring buffer max size  : 1.00 MB

clear

Clear the internal audit ring buffer.

This command will clear the internal audit ring buffer, removing all locally stored audit events.

Authorized Users Only

This command is only accessible by administrator level users.

Example

Clear the internal audit ring buffer:

example:/audit/#> clear
Are you sure you want to clear the audit log? (y/N) y
Clearing audit log…
example:/audit/#>

Viewing Auditable Events

Auditable events can be accessed and viewed in the CLI, from the audit context, accessed from the top level exec context:

example:/#> audit
example:/audit/#>

By default, when show commands are executed, the audit log will be attempted to be displayed in an interactive mode. This mode will display the audit log in a paginated format. If this is undesired, the entire terminal can be set to no interactive. Be aware that this will set no interactive mode for the entire CLI. Simply call interactive to re-enable the interactive mode.

Interactive Mode Over Console Connection

Be aware that by default when accessing the audit log though the CLI, the CLI will attempt to display the audit log in an interactive mode. Doing this over a console connection can be sluggish, as the output speed is limited by the baud rate of the connection.

Interactive Mode and Terminal Size

The interactive mode will attempt to display the audit log in a paginated format, based on the terminal size.

If the terminal size is not deemed large enough, the interactive mode will not be used, and the output will be displayed in a single page.

show

Display the entire internal audit ring buffer.

This command will display the entire internal audit ring buffer, showing all of the stored audit events.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entire audit ring buffer:

example:/audit/#> show
╒ Audit log ring buffer, entries 1-4 of 149 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│215  2025-03-10  Info            root           Control System …    interface vlan1 ip              │
│     12:42:57    Security        system         DHCP Client Lea…    198.18.1.101 mask 24 broadcast  │
│                                                0x3000000000050003  198.18.1.255 router 198.18.1.99 │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 38 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

show last [NUMBER]

Display the last [NUMBER] of entries in the internal audit ring buffer.

This command will display the last [NUMBER] of entries in the internal audit ring buffer.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the last 3 entries in the audit ring buffer:

example:/audit/#> show last 3
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

NUMBER
The number of entries to display, provided as an integer.
show range [START] [NUM]

Display a range of entries in the internal audit ring buffer.

This command will display [NUM] entries in the internal audit ring buffer, starting from entry [START].

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display 3 entries beginning from the 6th entry in the audit ring buffer:

example:/audit/#> show range 6 8
╒ Audit log ring buffer, entries 6-8 of 8 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

show time [[YYYY-MM[-DD]] [hh:mm[:ss]]] [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer within the specified time range.

This command will display the entries in the internal audit ring buffer that fall within the specified time range.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that fall within the time range from 2025-03-10 12:48:30 to 2025-03-10 12:48:50:

example:/audit/#> show time 2025-03-10 12:48:30 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show from [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer from the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls after the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated from 2025-03-10 12:48:30:

example:/audit/#> show from 2025-03-10 12:48:30
╒ Audit log ring buffer, entries 9-12 of 12 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│220  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:50:53    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 2 of 2 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show to [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer to the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls before the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated to 2025-03-10 12:48:50:

example:/audit/#> show to 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 148 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 50 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show search [case] "STRING"

Display the entries in the internal audit ring buffer that contain the specified string.

This command will display the entries in the internal audit ring buffer that contain the specified string. The provided search string supports regular expressions. The search string will search based on the Event ID and the message of the audit event.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that contain the string SSH login:

example:/audit/#> show search “SSH login”
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

case
If the case argument is provided, the search will be case sensitive.
"STRING"
The string to search for, provided in double quotes. This is a free-form string that supports regular expressions.
show category CATEGORY

Display the entries in the internal audit ring buffer that belong to the specified category.

This command will display the entries in the internal audit ring buffer that belong to the specified category.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that belong to the access-control category:

example:/audit/#> show category “access-control”
╒ Audit log ring buffer, entries 1-5 of 5 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│111  2025-03-10  Notice          admin      Access Control      CLI Domain shell exited             │
│     12:12:51    Auth            admini…    Exit CLI Shell                                          │
│                                            0x1000000000030001                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│110  2025-03-10  Notice          admin      Access Control      CLI Domain shell accessed           │
│     12:12:50    Auth            admini…    Enter CLI Shell                                         │
│                                            0x1000000000030000                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

CATEGORY

The category to display, based on the available categories.

TAB Completion

The available categories can be tab completed in the CLI.

show raw

Display the raw audit log file.

This command will display the raw audit log file, showing all of the stored audit events. This is not displaying from the ring buffer storing the audit events, but from a local log file written with syslog. Therefore, the output in this file is how the audit messages would look also when sent to a remote syslog server.

Number of Entries

The number of entries that are stored in the raw audit log file is most likely going to be a lot less than what is stored in the internal audit ring buffer.

Example

Display the raw audit log file:

example:/audit/#> show raw
Mar 10 12:48:34 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010021; username=root; userid=0; userrole=system; seqnum=217; eventidtext=”Access Control - SSH login Exit”; msg=”SSH login exit for user ‘admin’ from 198.18.1.99:33202”;
Mar 10 12:48:37 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010020; username=root; userid=0; userrole=system; seqnum=218; eventidtext=”Access Control - SSH login Success”; msg=”Authentication successful for user ‘admin’ from 198.18.1.99”;
Mar 10 12:48:46 MySwitch wauditd[1624]: type=”audit”; eventid=0x6000000000010000; username=admin; userid=500; userrole=administrator; seqnum=219; eventidtext=”Audit Log Event - Display”; msg=”Entire audit log displayed from the CLI.”;