Auditable Events

Introduction

This document provides a overview of auditable events within the system. Auditable events are categorised into different groups based on the type of event, making it easier to manage and understand the events. Each individual event that is produced by the system is represented by a unique Event ID.

Auditable events play a crucial role in maintaining the security and integrity of the system. They provide a detailed record of significant actions and changes, which can be used for various purposes, including:

• Security Monitoring: Tracking login attempts, configuration changes, and other critical actions to detect and respond to potential security threats.
• Compliance: Ensuring that the system adheres to regulatory requirements by maintaining a detailed audit trail of all significant events.
• Troubleshooting: Providing a historical record of events that can be used to diagnose and resolve issues within the system.
• Accounting: Keeping track of user activities and system changes to ensure accountability and transparency.

This document also details the format of syslog messages generated for audit events, the configuration options available for managing audit event logging, and the operational commands for viewing and managing the audit log.

Overview

Auditable Event Categories

The auditable events are categorised into different categories, based on the type of the event. The categories are used to group the events into logical groups, making it easier to manage and understand the events. Each individual Event ID will always be associated with a specific category, based on how the Event ID is constructed.

The entire Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category. The following categories are available:

Table 1: Auditable Event Categories

Auditable Event Types

Each auditable event is represented by a unique Event ID. The Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category.

The Event ID is constructed in the following manner:

+-----------------+-----------------+-----------------+
| Category        | Main ID         | Sub ID          |
+-----------------+-----------------+-----------------+
| 0xffff          | 0xffffffff      | 0xffff          |
+-----------------+-----------------+-----------------+

As can be seen, the Event ID is divided into three parts:

• Category: The upper 16 bits are used to specify the category of the event. This is the exact values defined in the Auditable Event Categories section. Therefore, no Event ID can exist that does not have a valid category, i.e. the initial part of the Event ID will always be a valid category. Therefore, it is always possible to determine the category of an Event ID by looking at the upper 16 bits.

• Main ID: The next 32 bits are used to specify the main ID of the event.

• Sub ID: The lower 16 bits are used to specify the sub ID of the event. This can be used to further specify an event that is part of a larger category.

As an example, if we take the following Event ID 0x1000000000010010 which represents a successful console login event, we can break it down as follows:

• Category: 0x1000 which corresponds to the Access Control category.
• Main ID: 0x000000000010 which is the main ID of the event.
• Sub ID: 0x0010 which is the sub ID of the event.

Access Control Events

The following Event IDs are available for the Access Control category:

Table 2: Access Control Events

Request Error Events

The following Event IDs are available for the Request Error category:

Table 3: Request Error Events

Control System Events

The following Event IDs are available for the Control System Event category:

Table 4: Control System Events

Note that this simply lists what can be logged, what is logged is dependent on the configuration of the system. For instance, no audit events will be generated related to DHCP server if no DHCP server is configured.

Backup Restore Events

The following Event IDs are available for the Backup Restore Event category:

Table 5: Backup Restore Events

Configuration Change Events

The following Event IDs are available for the Configuration Change category:

Table 6: Configuration Change Events

These Event IDs are generated to account for any configuration change made to any configurable setting in the system. All events under the cluster 0x5000xxxxxxxxxxxx provide a comprehensive record of configuration changes to any configurable setting in the system.

Referring to the list of auditable Event IDs, various configuration change events can be generated. Instead of having a unique Event ID for every single configuration setting, they are categorised based on the type of setting changed. For example, there are unique Event IDs for changes made to system, interfaces, ports, VLANs, DHCP-Server, etc.

As an example of a configuration change event, consider that we change a few settings under the system configuration, like this:

example:/#> configure
example:/config/#> system
example:/config/system/#> hostname MySwitch
example:/config/system/#> location My Location
example:/config/system/#> contact My Contact
example:/config/system/#> leave
MySwitch:/#>

This should new generate three different audit log entries, with the Event ID representing configuration changes for system, which would be 0x5000000000080000. Therefore, the generated audit log entries would look something like this:

MySwitch:/#> audit
MySwitch:/audit/#> show
╒ Audit log ring buffer, entries 1-3 of 142 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                           │
│209  2025-03-10  Notice          admin          Configuration C...  system: "contact": from 'my       │
│     12:18:44    Security        administrator  System              previous' -> 'My Contact'         │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│208  2025-03-10  Notice          admin          Configuration C...  system: "location": from 'other   │
│     12:18:44    Security        administrator  System              location' -> 'My Location'        │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│207  2025-03-10  Notice          admin          Configuration C...  system: "hostname": from          │
│     12:18:44    Security        administrator  System              'example' -> 'MySwitch'           │
│                                                0x5000000000080000                                    │
└──────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 48 | Navigation: 'a' prev, 'd' next, 'q' quit, 'r' refresh, 'g' goto, 'l' display all

MySwitch:/#>

As we can see they all share the same Event ID, but the message indicates the specific values that were changed. In this case we can see that we changed “contact”, “location”, and “hostname” settings under the system configuration.

Configuration Transaction Events

The following Event IDs are available for the Configuration Transaction category:

Table 7: Configuration Transaction Events

Audit Log Events

The following Event IDs are available for the Audit Log Event category:

Table 8: Audit Log Events

File System Events

The following Event IDs are available for the File System Event category:

Table 9: File System Events

Configuration Integrity Events

The following Event IDs are available for the Configuration Integrity Event category:

Table 10: Configuration Integrity Events

Boot Process Events

The following Event IDs are available for the Boot Process Event category:

Table 11: Boot Process Events

Syslog Message Format for Auditable Events

For each audit event, a syslog message is by default generated and sent to the any configured logging destinations. For the audit events, the syslog message is formatted as follows:

type="audit"; eventid=<EVENTID>; username=<USERNAME>; userid=<USERID>; userrole=<ROLE>; seqnum=<NUM>; eventidtext="<EVENT_TEXT>"; msg="<MESSAGE>";

The different fields are constructed so that they should be easily parsable. The fields are as follows:

Example of an actual syslog message generated for an audit event, in this case a Link Up event:

type="audit"; eventid=0x3000000000020001; username=root; userid=0; userrole=system; seqnum=57; eventidtext="Control System Event - Link Up"; msg="port/interface ethX8";

If for some reason the syslog messages should not be generated for the auditable events, this can be configured in the CLI. Again, the auditable events will still be generated (unless they too are disabled), but they will not be sent to syslog, they will be stored in the local audit log ring buffer on the device.

Configuration

Configuration options related Audit can be found in the top-level configuration context in the CLI:

example:/#> configure
example:/config/#> audit
example:/config/audit/#>

[no] enable [CATEGORY]

Enable or disable audit event logging

This setting controls whether audit events are logged or not. It is enabled or disabled on a per event category basis.

Default: Enabled, for all categories of audit events.

Example

Enable audit event logging for all categories:

example:/config/audit/#> enable

Disable audit event logging for all categories:

example:/config/audit/#> no enable

Enable audit event logging for a specific category:

example:/config/audit/#> enable access-control

Disable audit event logging for a specific category:

example:/config/audit/#> no enable access-control

Multiple categories can be enabled or disabled at the same time:

example:/config/audit/#> enable access-control request-error

no

Disable audit event logging. If a specific category is provided, only that category will be disabled. If no category is provided, all categories will be disabled.

CATEGORY

Based on the list of available audit event categories, this is the category to enable or disable. If no category is provided, all categories will be enabled or disabled.

TAB Completion

When providing the category, tab completion can be used to list all available categories.

[no] syslog

Enable or disable sending audit log messages to syslog

This setting controls whether audit events are sent to syslog or not.

Note

Auditable event messages are always generated, if enabled, regardless of whether they are sent to syslog or not. On the device itself, they are stored separately from the syslog messages. If the auditable events are to be sent to a logging destination, this setting must be enabled.

Default: Enabled

Example

Enable sending audit log messages to syslog:

example:/config/audit/#> syslog

Disable sending audit log messages to syslog:

example:/config/audit/#> no syslog

no

Disable sending audit log messages to syslog.

Operational Commands

Operational commands related to auditable events can be found in the audit context, located top-level exec context in the CLI:

example:/#> audit
example:/audit/#>

list [eventid | category]

List the audit Categories and EventIDs that exist in the system.

This command will list all of the existing audit event categories and event IDs that can be available for the system.

Note on the Displayed Event IDs

This list shows every possible event ID and category that can be generated by the system. When these events can be generated is dependent on the configuration of the system.

Example

List all available audit event categories and event IDs:

example:/audit/#> list
…

eventid

List only all available audit event IDs.

category

List only all available audit event categories.

[show] status

Display basic status information about the internal audit ring buffer.

This command will display the current status of the internal audit ring buffer, including the number of entries currently stored in the buffer.

Example

Display the current status of the audit ring buffer:

example:/audit/#> status
AUDIT RING-BUFFER STATUS                                                      
Ring buffer count     : 72
Ring buffer used size : 5.41 KB
Ring buffer max size  : 1.00 MB

clear

Clear the internal audit ring buffer.

This command will clear the internal audit ring buffer, removing all locally stored audit events.

Authorised Users Only

This command is only accessible by administrator level users.

Example

Clear the internal audit ring buffer:

example:/audit/#> clear
Are you sure you want to clear the audit log? (y/N) y
Clearing audit log…
example:/audit/#>

Viewing Auditable Events

Auditable events can be accessed and viewed in the CLI, from the audit context, accessed from the top level exec context:

example:/#> audit
example:/audit/#>

By default, when show commands are executed, the audit log will be attempted to be displayed in an interactive mode. This mode will display the audit log in a paginated format. If this is undesired, the entire terminal can be set to no interactive. Be aware that this will set no interactive mode for the entire CLI. Simply call interactive to re-enable the interactive mode.

Viewing Entires in the Pager

When displaying the audit log in interactive mode, the output will be displayed in a paginated format. The following commands can be used to navigate the output:

Commands

show

Display the entire internal audit ring buffer.

This command will display the entire internal audit ring buffer, showing all of the stored audit events.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entire audit ring buffer:

example:/audit/#> show
╒ Audit log ring buffer, entries 1-4 of 149 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│215  2025-03-10  Info            root           Control System …    interface vlan1 ip              │
│     12:42:57    Security        system         DHCP Client Lea…    198.18.1.101 mask 24 broadcast  │
│                                                0x3000000000050003  198.18.1.255 router 198.18.1.99 │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 38 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all
example:/#>

show last <NUMBER>

Display the last NUMBER of entries in the internal audit ring buffer.

This command will display the last NUMBER of entries in the internal audit ring buffer.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the last 3 entries in the audit ring buffer:

example:/audit/#> show last 3
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all
example:/#>

NUMBER

The number of entries to display, provided as an integer.

show range <START> <NUM>

Show a range of entries in the audit ring buffer.

The range is specified by a starting entry number START and the number of entries to display NUM, from the starting entry.

The START number is ordered from lowest to highest, with 0 being the latest entry in the ring buffer. Entries are displayed backwards from START, so if START is 0 and NUM is 5, you will see the five latest entries.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display 3 entries beginning from the 6th entry in the audit ring buffer:

example:/audit/#> show range 6 3
╒ Audit log ring buffer, entries 6-8 of 8 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all
example:/#>

START

The starting entry number, provided as an integer. The starting entry is ordered from lowest to highest, with 0 being the latest entry in the ring buffer.

NUM

The number of entries to display, provided as an integer, from the starting entry.

show time [[YYYY-MM[-DD]] [hh:mm[:ss]]] [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer within the specified time range.

This command will display the entries in the internal audit ring buffer that fall within the specified time range.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that fall within the time range from 2025-03-10 12:48:30 to 2025-03-10 12:48:50:

example:/audit/#> show time 2025-03-10 12:48:30 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all

YYYY

The year, provided as an integer.

MM

The month, provided as an integer between 1 and 12.

DD

The day, provided as an integer between 1 and 31.

hh

The hour, provided as an integer between 0 and 23.

mm

The minute, provided as an integer between 0 and 59.

ss

The second, provided as an integer between 0 and 59.

show from [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer from the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls after the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated from 2025-03-10 12:48:30:

example:/audit/#> show from 2025-03-10 12:48:30
╒ Audit log ring buffer, entries 9-12 of 12 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│220  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:50:53    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 2 of 2 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all

YYYY

The year, provided as an integer.

MM

The month, provided as an integer between 1 and 12.

DD

The day, provided as an integer between 1 and 31.

hh

The hour, provided as an integer between 0 and 23.

mm

The minute, provided as an integer between 0 and 59.

ss

The second, provided as an integer between 0 and 59.

show to [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer to the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls before the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated to 2025-03-10 12:48:50:

example:/audit/#> show to 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 148 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 50 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all

YYYY

The year, provided as an integer.

MM

The month, provided as an integer between 1 and 12.

DD

The day, provided as an integer between 1 and 31.

hh

The hour, provided as an integer between 0 and 23.

mm

The minute, provided as an integer between 0 and 59.

ss

The second, provided as an integer between 0 and 59.

show search [case] "STRING"

Display the entries in the internal audit ring buffer that contain the specified string.

This command will display the entries in the internal audit ring buffer that contain the specified string. The provided search string supports regular expressions. The search string will search based on the Event ID and the message of the audit event.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that contain the string SSH login:

example:/audit/#> show search “SSH login”
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all

case

If the case argument is provided, the search will be case sensitive.

"STRING"

The string to search for, provided in double quotes. This is a free-form string that supports regular expressions.

show category CATEGORY

Display the entries in the internal audit ring buffer that belong to the specified category.

This command will display the entries in the internal audit ring buffer that belong to the specified category.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that belong to the access-control category:

example:/audit/#> show category “access-control”
╒ Audit log ring buffer, entries 1-5 of 5 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│111  2025-03-10  Notice          admin      Access Control      CLI Domain shell exited             │
│     12:12:51    Auth            admini…    Exit CLI Shell                                          │
│                                            0x1000000000030001                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│110  2025-03-10  Notice          admin      Access Control      CLI Domain shell accessed           │
│     12:12:50    Auth            admini…    Enter CLI Shell                                         │
│                                            0x1000000000030000                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 | Navigation: ‘a’ prev, ‘d’ next, ‘q’ quit, ‘r’ refresh, ‘g’ goto, ‘l’ display all

CATEGORY

The category to display, based on the available categories.

TAB Completion

The available categories can be tab completed in the CLI.

show raw

Display the raw audit log file.

This command will display the raw audit log file, showing all of the stored audit events. This is not displaying from the ring buffer storing the audit events, but from a local log file written with syslog. Therefore, the output in this file is how the audit messages would look also when sent to a remote syslog server.

Number of Entries

The number of entries that are stored in the raw audit log file is most likely going to be a lot less than what is stored in the internal audit ring buffer.

Example

Display the raw audit log file:

example:/audit/#> show raw
Mar 10 12:48:34 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010021; username=root; userid=0; userrole=system; seqnum=217; eventidtext=”Access Control - SSH login Exit”; msg=”SSH login exit for user ‘admin’ from 198.18.1.99:33202”;
Mar 10 12:48:37 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010020; username=root; userid=0; userrole=system; seqnum=218; eventidtext=”Access Control - SSH login Success”; msg=”Authentication successful for user ‘admin’ from 198.18.1.99”;
Mar 10 12:48:46 MySwitch wauditd[1624]: type=”audit”; eventid=0x6000000000010000; username=admin; userid=500; userrole=administrator; seqnum=219; eventidtext=”Audit Log Event - Display”; msg=”Entire audit log displayed from the CLI.”;