Auditable Events

Introduction

This document provides a overview of auditable events within the system. Auditable events are categorized into different groups based on the type of event, making it easier to manage and understand the events. Each individual event that is produced by the system is represented by a unique Event ID.

Auditable events play a crucial role in maintaining the security and integrity of the system. They provide a detailed record of significant actions and changes, which can be used for various purposes, including:

  • Security Monitoring: Tracking login attempts, configuration changes, and other critical actions to detect and respond to potential security threats.
  • Compliance: Ensuring that the system adheres to regulatory requirements by maintaining a detailed audit trail of all significant events.
  • Troubleshooting: Providing a historical record of events that can be used to diagnose and resolve issues within the system.
  • Accounting: Keeping track of user activities and system changes to ensure accountability and transparency.

This document also details the format of syslog messages generated for audit events, the configuration options available for managing audit event logging, and the operational commands for viewing and managing the audit log.

Related Examples and Use-Cases

Overview

Auditable Event Categories

The auditable events are categorized into different categories, based on the type of the event. The categories are used to group the events into logical groups, making it easier to manage and understand the events. Each individual Event ID will always be associated with a specific category, based on how the Event ID is constructed.

The entire Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category. The following categories are available:

Category ID Category Name Description
0x1000 Access Control Events related to access control, such as login, logout, authentication, etc.
0x2000 Request Error Events related to errors in requests, such as invalid requests, unauthorized requests, etc.
0x3000 Control System Event Events related to the control system, such as link up, link down, system reboot, etc.
0x4000 Backup Restore Event Events related to backup and restore operations, such as storing of configuration, etc.
0x5000 Configuration Change Events related to configuration changes, such as specific configuration changes to the system.
0x5100 Configuration Transaction Events related to configuration transactions, such as configuration commit, rollback, etc.
0x6000 Audit Log Event Events related to the audit log, such as audit log display, audit log clear, etc.
0x7000 File system event Events related to the file system, such as file creation, deletion, modification, etc.
0x8000 Configuration Integrity Events related to configuration integrity, such as configuration integrity check, etc.
0x9000 Boot Process Event Events related to the boot process

Table 1: Auditable Event Categories

Possibly Subject to Change

Since this is a very new addition to the system, it is possible that changes will be made to the Categories in the upcoming releases. The intention is to keep the Categories as stable as possible, but because more changes may be needed early on, it is possible that they will be changed.

Auditable Event Types

Each auditable event is represented by a unique Event ID. The Event ID is a 64-bit value, where the upper 16 bits are used to specify the category of the event, and the lower 48 bits are used to specify the specific event within that category.

The Event ID is constructed in the following manner:

+-----------------+-----------------+-----------------+
| Category        | Main ID         | Sub ID          |
+-----------------+-----------------+-----------------+
| 0xffff          | 0xffffffff      | 0xffff          |
+-----------------+-----------------+-----------------+

As can be seen, the Event ID is divided into three parts:

  • Category: The upper 16 bits are used to specify the category of the event. This is the exact values defined in the Auditable Event Categories section. Therefore, no Event ID can exist that does not have a valid category, i.e. the initial part of the Event ID will always be a valid category. Therefore, it is always possible to determine the category of an Event ID by looking at the upper 16 bits.

  • Main ID: The next 32 bits are used to specify the main ID of the event.

  • Sub ID: The lower 16 bits are used to specify the sub ID of the event. This can be used to further specify an event that is part of a larger category.

As an example, if we take the following Event ID 0x1000000000010010 which represents a successful console login event, we can break it down as follows:

  • Category: 0x1000 which corresponds to the Access Control category.
  • Main ID: 0x000000000010 which is the main ID of the event.
  • Sub ID: 0x0010 which is the sub ID of the event.

Possibly Subject to Change

Since this is a very new addition to the system, it is possible that changes will be made to the Event IDs in the upcoming releases. The intention is to keep the Event IDs as stable as possible, but because more changes may be needed early on, it is possible that they will be changed.

However, if changes are made to existing events in the future, the aim is to retire any existing Event IDs, so that they will not be reused for new events. This way, the Event IDs will always be unique, and will not be reused for different events.

Access Control Events

The following Event IDs are available for the Access Control category:

Event ID Event Name Description
0x1000000000010010 Console login Success Successful console login event.
0x1000000000010011 Console login Exit Console login session ended.
0x1000000000010012 Console login Failure Failed console login attempt.
0x1000000000010013 Suspicious Console login Success Console login succeeded with suspicious credentials or context.
0x1000000000010014 Suspicious Console login Failure Failed console login attempt flagged as suspicious.
0x1000000000010015 Console login Success secureTTY Successful console login via secure TTY (trusted terminal).
0x1000000000010020 SSH login Success Successful SSH login event.
0x1000000000010021 SSH login Exit SSH login session ended.
0x1000000000010022 SSH login Failure Failed SSH login attempt.
0x1000000000010023 Suspicious SSH login Success SSH login succeeded with suspicious credentials or context.
0x1000000000010024 Suspicious SSH login Failure Failed SSH login attempt flagged as suspicious.
0x1000000000010030 Web login Success Successful web interface login event.
0x1000000000010031 Web login Exit Web login session ended.
0x1000000000010032 Web login Failure Failed web login attempt.
0x1000000000010033 Suspicious Web login Success Web login succeeded with suspicious credentials or context.
0x1000000000010034 Suspicious Web login Failure Failed web login attempt flagged as suspicious.
0x1000000000010040 Telnet login Success Successful Telnet login event.
0x1000000000010041 Telnet login Exit Telnet login session ended.
0x1000000000010042 Telnet login Failure Failed Telnet login attempt.
0x1000000000010043 Suspicious Telnet login Success Telnet login succeeded with suspicious credentials or context.
0x1000000000010044 Suspicious Telnet login Failure Failed Telnet login attempt flagged as suspicious.
0x1000000000010050 Other login Success Successful login via other (non-standard) method.
0x1000000000010051 Other login Exit Other login session ended.
0x1000000000010052 Other login Failure Failed login attempt via other method.
0x1000000000010053 Suspicious Other login Success Other login succeeded with suspicious credentials or context.
0x1000000000010054 Suspicious Other login Failure Failed other login attempt flagged as suspicious.
0x1000000000020000 SNMPv3 Access Success Successful SNMPv3 access.
0x1000000000020001 SNMPv3 Access Failure Failed SNMPv3 access attempt.
0x1000000000020002 SNMPv3 Engine ID Failure SNMPv3 engine ID verification failed.
0x1000000000020003 SNMPv2 Access Success Successful SNMPv2 access.
0x1000000000020004 SNMPv2 Access Failure Failed SNMPv2 access attempt.
0x1000000000020005 SNMP Command Success SNMP command executed successfully.
0x1000000000020006 SNMP Command Failure SNMP command execution failed.
0x1000000000030000 Enter CLI Shell Entered CLI shell session.
0x1000000000030001 Exit CLI Shell Exited CLI shell session.
0x1000000000040001 Authorized MAC address through mac-authentication MAC address authorized via MAC authentication.
0x1000000000040002 De-authorized MAC address through mac-authentication MAC address de-authorized via MAC authentication.
0x1000000000040003 Authentication through mac-authentication failed MAC authentication attempt failed.
0x1000000000040004 Authorized MAC address through 802.1X MAC address authorized via IEEE 802.1X authentication.
0x1000000000040005 De-authorized MAC address through 802.1X MAC address de-authorized via IEEE 802.1X authentication.
0x1000000000040006 Authentication through 802.1X failed IEEE 802.1X authentication attempt failed.

Table 2: Access Control Events

Request Error Events

The following Event IDs are available for the Request Error category:

Event ID Event Name Description
0x2000000000010000 Unauthorized CLI Command Attempt to execute a CLI command without sufficient authorization.
0x2000000000020000 SNMP OID Request Success SNMP OID request completed successfully.
0x2000000000020001 SNMP OID Request Failure SNMP OID request failed (e.g., due to permissions or bad OID).
0x2000000000030000 Unauthorized SSH User SSH login attempt by an unauthorized user.
0x2000000000030001 Unauthorized Web User Web interface login attempt by an unauthorized user.
0x2000000000030002 Unauthorized Console User Console login attempt by an unauthorized user.

Table 3: Request Error Events

Control System Events

The following Event IDs are available for the Control System Event category:

Event ID Event Name Description
0x3000000000010001 Service Start A system service has started.
0x3000000000010002 Service Stop A system service has stopped.
0x3000000000010003 Service Restart A system service has restarted.
0x3000000000010004 Service Died A system service terminated unexpectedly.
0x3000000000010005 Service Crash A system service crashed.
0x3000000000010006 Service Crash Restart A crashed service was automatically restarted.
0x3000000000020001 Link Up Interface link became active.
0x3000000000020002 Link Down Interface link went down.
0x3000000000030001 System Boot System booted.
0x3000000000030002 System Startup System startup sequence initiated.
0x3000000000030003 System Operational System reached operational state.
0x3000000000030004 System Shutdown System shutdown initiated.
0x3000000000030005 System Upgrade System upgrade started or completed.
0x3000000000040000 ECSC Communication Established ECSC communication channel established.
0x3000000000040001 TTDP Stack Ready TTDP protocol stack is ready.
0x3000000000050002 DHCP Client Lease Deconfig DHCP client lease deconfigured.
0x3000000000050003 DHCP Client Lease Renew DHCP client lease renewed.
0x3000000000050004 DHCP Client Lease Bound DHCP client lease bound to an address.
0x3000000000050005 DHCP Client Received NAK DHCP client received a negative acknowledgment (NAK).
0x3000000000050006 DHCP Client Lease Failed DHCP client failed to obtain or renew a lease.
0x3000000000050100 DHCP Server Discover DHCP server received a discover message.
0x3000000000050101 DHCP Server Offer DHCP server sent an offer message.
0x3000000000050102 DHCP Server Request DHCP server received a request message.
0x3000000000050103 DHCP Server Acknowledge DHCP server sent an acknowledge message.
0x3000000000050104 DHCP Server Release DHCP server received a release message.
0x3000000000050105 DHCP Server NAK DHCP server sent a negative acknowledgment (NAK).
0x3000000000050106 DHCP Server Decline DHCP server received a decline message.
0x3000000000050107 DHCP Server Inform DHCP server received an inform message.
0x3000000000050108 DHCP Server No Address Available DHCP server had no address available to assign.
0x3000000000060001 Configuration Changed System configuration was changed.
0x3000000000070001 Enter Maintenance Mode System entered maintenance mode.
0x3000000000070002 Exit Maintenance Mode System exited maintenance mode.
0x3000000000080000 MRP Ring OK MRP (Media Redundancy Protocol) ring is operational.
0x3000000000080001 MRP Ring Broken MRP ring is broken or not operational.
0x3000000000090000 NTP Clock Synchronized NTP clock synchronized successfully.
0x3000000000090001 NTP Update Failed NTP update failed.
0x30000000000a0000 FRNT Ring OK FRNT ring is operational.
0x30000000000a0001 FRNT Ring Broken FRNT ring is broken or not operational.
0x30000000000b0000 Duplicate IP Address Duplicate IP address detected on the network.
0x30000000000b0001 Duplicate MAC Address Duplicate MAC address detected on the network.
0x30000000000b0002 ARP New Entry New ARP entry added.
0x30000000000b0003 ARP Entry Changed Existing ARP entry changed.
0x30000000000b0004 ARP Entry Flip Flop ARP entry is rapidly changing (flip flop detected).
0x30000000000c0000 RICO Port State Change RICO port state changed.
0x30000000000d0000 ATU Full Violation Address Translation Unit (ATU) full violation detected.
0x30000000000e0000 Unknown IPv4 Route Install Unknown IPv4 route installed.
0x30000000000e0001 Unknown IPv4 Route Delete Unknown IPv4 route deleted.
0x30000000000e0002 Kernel IPv4 Route Install Kernel IPv4 route installed.
0x30000000000e0003 Kernel IPv4 Route Delete Kernel IPv4 route deleted.
0x30000000000e0004 Connected IPv4 Route Install Connected IPv4 route installed.
0x30000000000e0005 Connected IPv4 Route Delete Connected IPv4 route deleted.
0x30000000000e0006 Static IPv4 Route Install Static IPv4 route installed.
0x30000000000e0007 Static IPv4 Route Delete Static IPv4 route deleted.
0x30000000000e0008 RIP IPv4 Route Install RIP (Routing Information Protocol) IPv4 route installed.
0x30000000000e0009 RIP IPv4 Route Delete RIP IPv4 route deleted.
0x30000000000e000a OSPF IPv4 Route Install OSPF (Open Shortest Path First) IPv4 route installed.
0x30000000000e000b OSPF IPv4 Route Delete OSPF IPv4 route deleted.
0x30000000000e000c Kernel IPv6 Route Install Kernel IPv6 route installed.
0x30000000000e000d Kernel IPv6 Route Delete Kernel IPv6 route deleted.
0x30000000000e000e Connected IPv6 Route Install Connected IPv6 route installed.
0x30000000000e000f Connected IPv6 Route Delete Connected IPv6 route deleted.
0x30000000000e0010 Static IPv6 Route Install Static IPv6 route installed.
0x30000000000e0011 Static IPv6 Route Delete Static IPv6 route deleted.
0x30000000000e0012 RIP IPv6 Route Install RIP IPv6 route installed.
0x30000000000e0013 RIP IPv6 Route Delete RIP IPv6 route deleted.
0x30000000000e0014 OSPF IPv6 Route Install OSPF IPv6 route installed.
0x30000000000e0015 OSPF IPv6 Route Delete OSPF IPv6 route deleted.
0x30000000000e0016 Unknown IPv6 Route Install Unknown IPv6 route installed.
0x30000000000e0017 Unknown IPv6 Route Delete Unknown IPv6 route deleted.
0x30000000000e0018 Multicast IPv4 Route Install Multicast IPv4 route installed.
0x30000000000e0019 Multicast IPv4 Route Delete Multicast IPv4 route deleted.
0x30000000000f0000 Link Alarm Actived Link alarm activated.
0x30000000000f0001 Link Alarm Deactived Link alarm deactivated.
0x30000000000f0002 Temp Alarm Actived Temperature alarm activated.
0x30000000000f0003 Temp Alarm Deactived Temperature alarm deactivated.
0x30000000000f0004 Power Alarm Actived Power alarm activated.
0x30000000000f0005 Power Alarm Deactived Power alarm deactivated.
0x30000000000f0006 Digin Alarm Actived Digital input alarm activated.
0x30000000000f0007 Digin Alarm Deactived Digital input alarm deactivated.
0x30000000000f0008 Ping Alarm Actived Ping alarm activated.
0x30000000000f0009 Ping Alarm Deactived Ping alarm deactivated.
0x30000000000f000a FRNT Alarm Actived FRNT alarm activated.
0x30000000000f000b FRNT Alarm Deactived FRNT alarm deactivated.
0x30000000000f000c Ring Alarm Actived Ring alarm activated.
0x30000000000f000d Ring Alarm Deactived Ring alarm deactivated.
0x30000000000f000e Profinet Alarm Actived Profinet alarm activated.
0x30000000000f000f Profinet Alarm Deactived Profinet alarm deactivated.
0x30000000000f0010 POE Alarm Actived Power over Ethernet (PoE) alarm activated.
0x30000000000f0011 POE Alarm Deactived PoE alarm deactivated.
0x30000000000f0012 RICO Alarm Actived RICO alarm activated.
0x30000000000f0013 RICO Alarm Deactived RICO alarm deactivated.
0x30000000000f0014 Media Threshold Alarm Actived Media threshold alarm activated.
0x30000000000f0015 Media Threshold Alarm Deactived Media threshold alarm deactivated.
0x30000000000f0016 Media Plug Alarm Actived Media plug alarm activated.
0x30000000000f0017 Media Plug Alarm Deactived Media plug alarm deactivated.
0x3000000000100000 Media Plugged In Media (e.g., USB or SD card) plugged in.
0x3000000000100001 Media Removed Media removed from the system.
0x3000000000100002 Media Mounted Media mounted and accessible.
0x3000000000100003 Media Unmounted Media unmounted.
0x3000000000100004 Media Mount Failed Failed to mount media.
0x3000000000110000 Firewall Allow Rule Hit Firewall allow rule matched and triggered.
0x3000000000110001 Firewall Deny Rule Hit Firewall deny rule matched and triggered.
0x3000000000120000 Certificate has been revoked A certificate has been revoked.
0x3000000000120001 CRL distribution point not accessible Certificate Revocation List (CRL) distribution point could not be accessed.
0x3000000000120002 CRL expired Certificate Revocation List (CRL) has expired.
0x3000000000120003 CRL signature verification failed CRL signature verification failed.
0x3000000000120004 CRL too large for download CRL was too large to download.
0x3000000000120005 SSH host key management SSH host key management event.
0x3000000000120006 SSH host key management failure SSH host key management failed.

Table 4: Control System Events

Note that this simply lists what can be logged, what is logged is dependent on the configuration of the system. For instance, no audit events will be generated related to DHCP server if no DHCP server is configured.

Backup Restore Events

The following Event IDs are available for the Backup Restore Event category:

Event ID Event Name Description
0x4000000000010000 Update Running Configuration Update the running configuration.
0x4000000000020000 Read Config File Read the configuration file.
0x4000000000020001 Read Config File Error Error occurred while reading the configuration file.
0x4000000000020002 Read Config File Error - JSON JSON parsing error while reading the configuration file.
0x4000000000020003 Read Config File Error - No Exist Configuration file does not exist when attempting to read.
0x4000000000030000 Validate Config File Validate the configuration file before applying or restoring.
0x4000000000040000 Write Config File Write the configuration file.
0x4000000000040001 Write Config File Error Error occurred while writing the configuration file.
0x4000000000040002 Write Config File Error - JSON JSON formatting or encoding error while writing the configuration file.
0x4000000000050000 Copied Config File - CLI Configuration file copied via CLI command.
0x4000000000050001 Copy Config File Error - CLI Error occurred while copying configuration file via CLI.
0x4000000000060000 Verify Config File Encryption Verification of configuration file encryption status.
0x4000000000070000 Support File Generated Support file (for troubleshooting or backup) generated.
0x4000000000080000 JSON Schema validation successful Configuration file passed JSON schema validation.
0x4000000000080001 JSON Schema validation fail Configuration file failed JSON schema validation.
0x4000000000080002 JSON Schema validation fail with error Configuration file failed JSON schema validation with specific error details.
0x4000000000080003 JSON Schema validation fail, force apply Force apply configuration despite JSON schema validation failure.
0x4000000000080004 JSON Schema validation fail, force copy Force copy configuration file despite JSON schema validation failure.
0x4000000000090000 Web Enable Config Force Apply Enable force apply for configuration changes via web interface.
0x4000000000090001 Web Disable Config Force Apply Disable force apply for configuration changes via web interface.
0x4000000000090002 Web Config Force Apply Configuration changes applied via web interface with force.

Table 5: Backup Restore Events

Configuration Change Events

The following Event IDs are available for the Configuration Change category:

Event ID Event Name Description
0x5000000000020000 LLDP LLDP (Link Layer Discovery Protocol) configuration change.
0x5000000000020001 LLDP Port LLDP port-specific configuration change.
0x5000000000030000 DHCP Server DHCP server configuration change.
0x5000000000030001 DHCP Server Subnet DHCP server subnet configuration change.
0x5000000000030002 DHCP Server Host DHCP server host configuration change.
0x5000000000030003 DHCP Server Route DHCP server route configuration change.
0x5000000000030004 DHCP Server Host Match DHCP server host match configuration change.
0x5000000000030005 DHCP Server Static Leases DHCP server static leases configuration change.
0x5000000000040000 SSH SSH configuration change.
0x5000000000040001 SSH Shell access SSH shell access configuration change.
0x5000000000050000 Telnet Telnet configuration change.
0x5000000000060000 Port Port configuration change.
0x5000000000060001 Ethernet Port Ethernet port configuration change.
0x5000000000070000 Ownership Ownership configuration change.
0x5000000000080000 System System-wide configuration change.
0x5000000000090000 TFTP TFTP (Trivial File Transfer Protocol) configuration change.
0x50000000000a0000 DNS DNS configuration change.
0x50000000000a0001 DNS Forward Rule DNS forward rule configuration change.
0x50000000000a0002 DNS Server DNS server configuration change.
0x50000000000a0003 DNS Host DNS host configuration change.
0x50000000000a0004 DNS Search Path DNS search path configuration change.
0x50000000000b0000 NTP NTP (Network Time Protocol) configuration change.
0x50000000000b0001 NTP Client NTP client configuration change.
0x50000000000c0000 WEB Web interface configuration change.
0x50000000000c0001 HTTP HTTP configuration change.
0x50000000000c0002 HTTPS HTTPS configuration change.
0x50000000000d0000 RSTP RSTP (Rapid Spanning Tree Protocol) configuration change.
0x50000000000d0001 RSTP Port RSTP port configuration change.
0x50000000000e0000 FRNT FRNT (Fast Reconfiguration of Network Topology) configuration change.
0x50000000000e0001 FRNT Port FRNT port configuration change.
0x50000000000f0000 ICMP ICMP (Internet Control Message Protocol) configuration change.
0x5000000000100000 Management Management interface configuration change.
0x5000000000110000 Password Password configuration change.
0x5000000000120000 VRRP VRRP (Virtual Router Redundancy Protocol) configuration change.
0x5000000000120001 VRRP Trigger VRRP trigger configuration change.
0x5000000000120002 VRRP Instance VRRP instance configuration change.
0x5000000000120003 VRRP Group VRRP group configuration change.
0x5000000000130000 RIP Interface RIP (Routing Information Protocol) interface configuration change.
0x5000000000130001 RIP Interface MD5 RIP interface MD5 authentication configuration change.
0x5000000000130002 RIP Interface Secret RIP interface secret configuration change.
0x5000000000130003 RIP Interface Auth RIP interface authentication configuration change.
0x5000000000140000 RIP RIP configuration change.
0x5000000000140001 RIP Network RIP network configuration change.
0x5000000000150000 OSPF Interface OSPF (Open Shortest Path First) interface configuration change.
0x5000000000150001 OSPF Interface MD5 OSPF interface MD5 authentication configuration change.
0x5000000000150002 OSPF Interface Secret OSPF interface secret configuration change.
0x5000000000150003 OSPF Interface Auth OSPF interface authentication configuration change.
0x5000000000160000 OSPF OSPF configuration change.
0x5000000000160001 OSPF Network OSPF network configuration change.
0x5000000000160002 OSPF Area OSPF area configuration change.
0x5000000000160003 OSPF Timers OSPF timers configuration change.
0x5000000000160004 OSPF Redistribute OSPF route redistribution configuration change.
0x5000000000160005 OSPF Distribute Default OSPF distribute default configuration change.
0x5000000000170000 PIM Interface PIM (Protocol Independent Multicast) interface configuration change.
0x5000000000180000 PIM PIM configuration change.
0x5000000000180001 PIM Rendezvous Point PIM rendezvous point configuration change.
0x5000000000180002 PIM Policy PIM policy configuration change.
0x5000000000180003 PIM SSM Prefix PIM SSM (Source-Specific Multicast) prefix configuration change.
0x5000000000190000 Interface Interface configuration change.
0x5000000000190001 Interface IPv4 IPv4 interface configuration change.
0x5000000000190002 Interface IPv4 Address IPv4 address configuration change on an interface.
0x5000000000190003 Interface IPv6 IPv6 interface configuration change.
0x50000000001a0000 IP IP configuration change.
0x50000000001a0001 IP Route IP route configuration change.
0x50000000001a0002 IP Multicast Route IP multicast route configuration change.
0x50000000001a0003 IP NAT IP NAT (Network Address Translation) configuration change.
0x50000000001a0004 Policy Route Match Ip Policy route match IP configuration change.
0x50000000001a0005 IP Policy Route Match IP policy route match configuration change.
0x50000000001a0006 IP Policy Route IP policy route configuration change.
0x50000000001b0000 Firewall Firewall configuration change.
0x50000000001b0001 Firewall Network Firewall network configuration change.
0x50000000001b0002 Firewall Rule Firewall rule configuration change.
0x50000000001b0003 Firewall Counter Firewall counter configuration change.
0x50000000001b0004 Firewall Log Firewall log configuration change.
0x50000000001c0000 PoE PoE (Power over Ethernet) configuration change.
0x50000000001c0001 PoE Port PoE port configuration change.
0x50000000001d0000 AAA AAA (Authentication, Authorization, Accounting) configuration change.
0x50000000001d0001 AAA User SSH Key AAA user SSH key configuration change.
0x50000000001d0002 AAA User AAA user configuration change.
0x50000000001d0003 AAA Local User AAA local user configuration change.
0x50000000001d0004 AAA Local Database AAA local database configuration change.
0x50000000001d0005 AAA Remote Server AAA remote server configuration change.
0x50000000001d0006 AAA Server Group AAA server group configuration change.
0x50000000001d0007 AAA Server AAA server configuration change.
0x50000000001d0008 AAA Method AAA method configuration change.
0x50000000001d0009 AAA MAC Pattern AAA MAC pattern configuration change.
0x50000000001d000a AAA Authentication AAA authentication configuration change.
0x50000000001d000b AAA 802.1x Auth Groups AAA 802.1x authentication groups configuration change.
0x50000000001d000c AAA MAC Auth Groups AAA MAC authentication groups configuration change.
0x50000000001d000d AAA Login Auth Groups AAA login authentication groups configuration change.
0x50000000001d000e AAA Password Policy AAA password policy configuration change.
0x50000000001d000f AAA Lockout Policy AAA lockout policy configuration change.
0x50000000001e0000 SSL SSL (Secure Sockets Layer) configuration change.
0x50000000001e0001 SSL Network SSL network configuration change.
0x50000000001e0002 SSL Pool Range SSL pool range configuration change.
0x50000000001e0003 SSL Internal Route SSL internal route configuration change.
0x50000000001e0004 SSL Client Config SSL client configuration change.
0x50000000001f0000 Generic Routing Encap Generic routing encapsulation configuration change.
0x5000000000200000 Audit Logging Audit logging configuration change.
0x5000000000210000 IPSec IPSec (IP Security) configuration change.
0x5000000000210001 IPSec Remote CA IPSec remote CA (Certificate Authority) configuration change.
0x5000000000210002 IPSec Protocol Port IPSec protocol port configuration change.
0x5000000000220000 Tunnel Tunnel configuration change.
0x5000000000220001 SSL Tunnel SSL tunnel configuration change.
0x5000000000220002 GRE Tunnel GRE (Generic Routing Encapsulation) tunnel configuration change.
0x5000000000220003 IPSec Tunnel IPSec tunnel configuration change.
0x5000000000230000 IPv6 IPv6 configuration change.
0x5000000000230001 IPv6 Route IPv6 route configuration change.
0x5000000000240000 PTP PTP (Precision Time Protocol) configuration change.
0x5000000000240001 PTP Clock PTP clock configuration change.
0x5000000000240002 PTP Parameters PTP parameters configuration change.
0x5000000000250000 TTDP TTDP configuration change.
0x5000000000250001 TTDP ECN TTDP ECN configuration change.
0x5000000000250002 TTDP Multicast Route TTDP multicast route configuration change.
0x5000000000250003 TTDP Port TTDP port configuration change.
0x5000000000250004 TTDP Internet TTDP internet configuration change.
0x5000000000260000 Watchdog Watchdog configuration change.
0x5000000000260001 Watchdog Monitor Watchdog monitor configuration change.
0x5000000000270000 VLAN VLAN (Virtual LAN) configuration change.
0x5000000000270001 VLAN Commons VLAN commons configuration change.
0x5000000000270002 VLAN dbnum VLAN database number configuration change.
0x5000000000280000 LAG LAG (Link Aggregation Group) configuration change.
0x5000000000280001 LAG LACP LAG LACP (Link Aggregation Control Protocol) configuration change.
0x5000000000280002 LAG TTPD LAG TTPD configuration change.
0x5000000000280003 LAG Port LAG port configuration change.
0x5000000000290000 Action Action configuration change.
0x5000000000290001 Action Interface Action interface configuration change.
0x50000000002a0000 Trigger Trigger configuration change.
0x50000000002b0000 Alarm Alarm configuration change.
0x50000000002b0001 Alarm Trigger Alarm trigger configuration change.
0x50000000002b0002 Alarm Action Alarm action configuration change.
0x50000000002c0000 Ring Ring configuration change.
0x50000000002c0001 Ring Port Ring port configuration change.
0x50000000002c0002 Ring MRP Ring MRP (Media Redundancy Protocol) configuration change.
0x50000000002d0000 Console Console configuration change.
0x50000000002e0000 RiCo RiCo (Ring Coupling) configuration change.
0x50000000002e0001 RiCo Coupling Port RiCo coupling port configuration change.
0x50000000002e0002 RiCo Subring RiCo subring configuration change.
0x50000000002f0000 DDNS DDNS (Dynamic DNS) configuration change.
0x50000000002f0001 DDNS Provider DDNS provider configuration change.
0x50000000002f0002 DDNS Custom Provider DDNS custom provider configuration change.
0x50000000002f0003 DDNS Builtin Provider DDNS builtin provider configuration change.
0x5000000000300000 Application Container Application container configuration change.
0x5000000000300001 Application Container Share Application container share configuration change.
0x5000000000300002 App Environment Variable Application environment variable configuration change.
0x5000000000310000 SNMP SNMP (Simple Network Management Protocol) configuration change.
0x5000000000310001 SNMP IP Address SNMP IP address configuration change.
0x5000000000310002 SNMP User SNMP user configuration change.
0x5000000000310003 SNMP Trap Host SNMP trap host configuration change.
0x5000000000310004 SNMP Engine ID SNMP engine ID configuration change.
0x5000000000310005 SNMP Ifindex Persistence SNMP ifindex persistence configuration change.
0x5000000000310006 SNMP Command SNMP command configuration change.
0x5000000000320000 Monitor Monitor configuration change.
0x5000000000320004 Monitor Destination Monitor destination configuration change.
0x5000000000320006 Monitor Source Monitor source configuration change.
0x5000000000330000 Serial Port Serial port configuration change.
0x5000000000340000 Serial Port App Serial port application configuration change.
0x5000000000350000 GPS GPS configuration change.
0x5000000000360000 HSR/PRP HSR/PRP (High-availability Seamless Redundancy/Parallel Redundancy Protocol) configuration change.
0x5000000000360001 HSR/PRP Statistics HSR/PRP statistics configuration change.
0x5000000000360002 HSR/PRP Port HSR/PRP port configuration change.
0x5000000000360003 HSR/PRP Pairing HSR/PRP pairing configuration change.
0x5000000000370000 Multicast DNS Multicast DNS configuration change.
0x5000000000380000 VRF VRF (Virtual Routing and Forwarding) configuration change.
0x5000000000390001 MPTCP MPTCP (Multipath TCP) configuration change.
0x50000000003a0000 Profinet Profinet configuration change.
0x50000000003b0000 DHCP Relay DHCP relay configuration change.
0x50000000003b0001 DHCP Relay Interface DHCP relay interface configuration change.
0x50000000003b0002 DHCP Relay Server DHCP relay server configuration change.
0x50000000003b0003 DHCP Relay Option 82 DHCP relay option 82 configuration change.
0x50000000003b0004 DHCP Relay Port DHCP relay port configuration change.
0x50000000003c0000 CLI CLI (Command Line Interface) configuration change.
0x50000000003d0000 SSDP SSDP (Simple Service Discovery Protocol) configuration change.
0x50000000003e0000 Metrics Metrics configuration change.
0x50000000003f0000 DOT1X IEEE 802.1X (port-based network access control) configuration change.
0x50000000003f0001 MAC auth MAC authentication configuration change.
0x50000000003f0002 Port Access Port access configuration change.
0x5000000000400000 FDB FDB (Forwarding Database) configuration change.
0x5000000000400001 FDB MAC FDB MAC address configuration change.
0x5000000000400002 FDB Group FDB group configuration change.
0x5000000000410000 RNRP RNRP (Redundant Network Ring Protocol) configuration change.
0x5000000000410001 RNRP Explicit RNRP explicit configuration change.
0x5000000000420000 Vendor Vendor-specific configuration change.
0x5000000000430000 Policy Policy configuration change.
0x5000000000430001 Policy Network Policy network configuration change.
0x5000000000430002 Policy Rule Policy rule configuration change.
0x5000000000430003 Policy Port Policy port configuration change.
0x5000000000440000 AT Command AT command configuration change.
0x5000000000440001 AT Map AT map configuration change.
0x5000000000440002 AT Message AT message configuration change.
0x5000000000440003 AT User Message AT user message configuration change.
0x5000000000450000 Logging Logging configuration change.
0x5000000000450001 Logging Source Logging source configuration change.
0x5000000000450002 Logging Destination Logging destination configuration change.
0x5000000000450003 Logging Filter Logging filter configuration change.
0x5000000000450004 Logging Sink Logging sink configuration change.
0x5000000000460000 TRDP TRDP configuration change.
0x5000000000470000 Router Router configuration change.
0x5000000000480000 RiCh RiCh configuration change.
0x5000000000490000 Factory Reset Factory reset configuration change.
0x5000000000500000 Encrypted Secrets Encrypted secrets configuration change.
0x5000000000510000 Provisioning Provisioning configuration change.
0x5000000000520000 PKI PKI (Public Key Infrastructure) configuration change.
0x5000000000520001 PKI Server Status PKI server status configuration change.
0x5000000000520002 PKI Enroll Server PKI enroll server configuration change.
0x5000000000520003 PKI Revocation PKI certificate revocation configuration change.

Table 6: Configuration Change Events

These Event IDs are generated to account for any configuration change made to any configurable setting in the system. All events under the cluster 0x5000xxxxxxxxxxxx provide a comprehensive record of configuration changes to any configurable setting in the system.

Referring to the list of auditable Event IDs, various configuration change events can be generated. Instead of having a unique Event ID for every single configuration setting, they are categorized based on the type of setting changed. For example, there are unique Event IDs for changes made to system, interfaces, ports, VLANs, DHCP-Server, etc.

As an example of a configuration change event, consider that we change a few settings under the system configuration, like this:

example:/#> configure
example:/config/#> system
example:/config/system/#> hostname MySwitch
example:/config/system/#> location My Location
example:/config/system/#> contact My Contact
example:/config/system/#> leave
MySwitch:/#>

This should new generate three different audit log entries, with the Event ID representing configuration changes for system, which would be 0x5000000000080000. Therefore, the generated audit log entries would look something like this:

MySwitch:/#> audit
MySwitch:/audit/#> show
╒ Audit log ring buffer, entries 1-3 of 142 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                           │
│209  2025-03-10  Notice          admin          Configuration C...  system: "contact": from 'my       │
│     12:18:44    Security        administrator  System              previous' -> 'My Contact'         │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│208  2025-03-10  Notice          admin          Configuration C...  system: "location": from 'other   │
│     12:18:44    Security        administrator  System              location' -> 'My Location'        │
│                                                0x5000000000080000                                    │
├──────────────────────────────────────────────────────────────────────────────────────────────────────┤
│207  2025-03-10  Notice          admin          Configuration C...  system: "hostname": from          │
│     12:18:44    Security        administrator  System              'example' -> 'MySwitch'           │
│                                                0x5000000000080000                                    │
└──────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 48 - Navigation: 'a' for previous page, 'd' for next page, 'q' to quit, 'r' to resize

MySwitch:/#>

As we can see they all share the same Event ID, but the message indicates the specific values that were changed. In this case we can see that we changed “contact”, “location”, and “hostname” settings under the system configuration.

Configuration Transaction Events

The following Event IDs are available for the Configuration Transaction category:

Event ID Event Name Description
0x5100000000010000 Start Start of a configuration transaction.
0x5100000000010001 Start - Error Error occurred when starting a configuration transaction.
0x5100000000020000 End End of a configuration transaction.
0x5100000000020001 End - Validation Fail Transaction ended with to validation failure.
0x5100000000020002 End - Unchanged Transaction ended with no changes applied.
0x5100000000020003 Activation Activation of a configuration transaction.
0x5100000000020004 End - Error Transaction ended with an error.
0x5100000000030000 Abort Configuration transaction was aborted before completion.
0x5100000000040000 Lock Locking a configuration transaction to prevent concurrent changes.
0x5100000000050001 Unlock Unlocking a configuration transaction.
0x5100000000060002 Unlock - Error Error occurred when unlocking a configuration transaction.

Table 7: Configuration Transaction Events

Audit Log Events

The following Event IDs are available for the Audit Log Event category:

Event ID Event Name Description
0x6000000000010000 Display Display the audit log.
0x6000000000010001 Display Category Display audit log entries filtered by category.
0x6000000000020000 Clear Ring Buffer Clear the audit log ring buffer, removing all stored audit events.
0x6000000000030000 Reload wauditd Reload the audit daemon (wauditd).
0x6000000000040000 Export Export the audit log to an external file or destination.
0x6000000000050000 Search Search the audit log for specific entries or patterns.
0x6000000000060000 Time Search Search the audit log for entries within a specific time range.
0x6000000000070000 Display from Web Display the audit log from the web interface.
0x6000000000080000 Remote Shell Access Enabled Remote shell access was enabled (e.g., SSH or similar remote shell access).
0x6000000000080001 Remote Shell Access changed from outside CLI Remote shell access setting was changed from outside the CLI (e.g., via SSH or web).

Table 8: Audit Log Events

File System Events

The following Event IDs are available for the File System Event category:

Event ID Event Name Description
0x7000000000010000 Copy File copy operation performed.
0x7000000000010001 Copy error Error occurred during file copy operation.
0x7000000000020000 View File view operation performed (e.g., file was opened or read).
0x7000000000020001 View error Error occurred during file view operation.
0x7000000000020002 View diff File difference (diff) operation performed.
0x7000000000030000 Erase File erase (delete) operation performed.
0x7000000000030001 Erase error Error occurred during file erase (delete) operation.
0x7000000000040000 List directory Directory listing operation performed.
0x7000000000040001 List directory error Error occurred during directory listing operation.
0x7000000000050001 CRL downloaded Certificate Revocation List (CRL) file was downloaded.
0x7000000000050002 Config file created Configuration file was created.
0x7000000000050003 Certificate enrolled Certificate enrollment operation completed.
0x7000000000050004 Certificate renewed Certificate renewal operation completed.
0x7000000000050005 PKI artifact import operation PKI (Public Key Infrastructure) artifact import operation performed.
0x7000000000050006 PKI artifact generate operation PKI artifact generation operation performed.
0x7000000000050007 PKI artifact remove operation PKI artifact removal operation performed.

Table 9: File System Events

Configuration Integrity Events

The following Event IDs are available for the Configuration Integrity Event category:

Event ID Event Name Description
0x8000000000010000 Integrity Alert Integrity check failed or detected an issue.
0x8000000000020000 Integrity OK Integrity check passed; system integrity verified.
0x8000000000030000 Integrity Warning Integrity check warning; potential issue detected.
0x8000000000040000 Update Integrity Integrity was updated.
0x8000000000050000 Add to Integrity DB New entry added to the integrity database.
0x8000000000060001 CSTINFO file upload: validation successful CSTINFO file uploaded and passed validation.
0x8000000000060002 CSTINFO file upload: validation failed, syntax error CSTINFO file upload failed due to syntax error.
0x8000000000060003 CSTINFO file upload: validation failed, semantic error CSTINFO file upload failed due to semantic error.
0x8000000000060004 CSTINFO file missing - ECSP services limited CSTINFO file missing; ECSP services are limited as a result.
0x8000000000060005 CSTINFO file syntax error - ECSP services limited CSTINFO file has syntax error; ECSP services are limited.
0x8000000000060006 CSTINFO file semantic error - ECSP services limited CSTINFO file has semantic error; ECSP services are limited.
0x8000000000060007 CSTINFO file hash not stored - contents may be unreliable CSTINFO file hash not stored; file contents may be unreliable.
0x8000000000060008 CSTINFO file hash mismatch - contents may be unreliable CSTINFO file hash mismatch; file contents may be unreliable.
0x8000000000060009 CSTINFO file hash validation successful CSTINFO file hash validated successfully.

Table 10: Configuration Integrity Events

Boot Process Events

The following Event IDs are available for the Boot Process Event category:

Event ID Event Name Description
0x9000000000010000 Boot Loader Configuration Integrity Boot Loader Configuration Integrity verification status.
0x9000000000010010 ID-mem Integrity ID-mem Integrity verification status. Note: The ID-mem integrity verification should not fail during operation. If it does, this may indicate that the product definition of the product has been manipulated.

Table 11: Boot Process Events

Syslog Message Format for Auditable Events

For each audit event, a syslog message is by default generated and sent to the any configured logging destinations. For the audit events, the syslog message is formatted as follows:

type="audit"; eventid=<EVENTID>; username=<USERNAME>; userid=<USERID>; userrole=<ROLE>; seqnum=<NUM>; eventidtext="<EVENT_TEXT>"; msg="<MESSAGE>";

The different fields are constructed so that they should be easily parsable. The fields are as follows:

Field Description
type The type of the message, in this case audit, and it will always be audit for audit events.
eventid The unique event ID for the audit event, where <EVENTID> is the hexadecimal representation of the event ID.
username The username of the user that generated the audit event. Where <USERNAME> is the username of the user.
userid The user ID of the user that generated the audit event. Where <USERID> is the user ID of the user, as an integer.
userrole The role of the user that generated the audit event. Where <ROLE> is the role of the user.
seqnum The sequence number of the audit event. Where <NUM> is the sequence number of the event, as an integer.
eventidtext The text representation of the event ID. Where <EVENT_TEXT> is the text representation of the event ID and category.
msg A message that provides additional information about the audit event. Where <MESSAGE> is the specific message for the event.

Example of an actual syslog message generated for an audit event, in this case a Link Up event:

type="audit"; eventid=0x3000000000020001; username=root; userid=0; userrole=system; seqnum=57; eventidtext="Control System Event - Link Up"; msg="port/interface ethX8";

Note on the Syslog Message Format

This is simply the message part of the syslog message, the header part is not included here. For information on the full syslog message format, please refer to the Logging documentation.

Tip

When setting up logging on the device, one aspect is to specify the source of the log messages. When wanting to send log messages that originate from the device a source of type local is configured. In turn, this type can select a number of different local sources, one of them being audit. Therefore, when this local source type is selected, only log messages that fall within these auditable events will be sent to the configured logging destinations.

For more information on setting up logging sources, please refer to the Logging documentation.

If for some reason the syslog messages should not be generated for the auditable events, this can be configured in the CLI. Again, the auditable events will still be generated (unless they too are disabled), but they will not be sent to syslog, they will be stored in the local audit log ring buffer on the device.

Configuration

Configuration options related Audit can be found in the top-level configuration context in the CLI:

example:/#> configure
example:/config/#> audit
example:/config/audit/#>
[no] enable [CATEGORY]

Enable or disable audit event logging

This setting controls whether audit events are logged or not. It is enabled or disabled on a per event category basis.

Default: Enabled, for all categories of audit events.

Example

Enable audit event logging for all categories:

example:/config/audit/#> enable

Disable audit event logging for all categories:

example:/config/audit/#> no enable

Enable audit event logging for a specific category:

example:/config/audit/#> enable access-control

Disable audit event logging for a specific category:

example:/config/audit/#> no enable access-control

Multiple categories can be enabled or disabled at the same time:

example:/config/audit/#> enable access-control request-error

no
Disable audit event logging. If a specific category is provided, only that category will be disabled. If no category is provided, all categories will be disabled.
CATEGORY

Based on the list of available audit event categories, this is the category to enable or disable. If no category is provided, all categories will be enabled or disabled.

TAB Completion

When providing the category, tab completion can be used to list all available categories.

[no] syslog

Enable or disable sending audit log messages to syslog

This setting controls whether audit events are sent to syslog or not.

Note

Auditable event messages are always generated, if enabled, regardless of whether they are sent to syslog or not. On the device itself, they are stored separately from the syslog messages. If the auditable events are to be sent to a logging destination, this setting must be enabled.

Default: Enabled

Example

Enable sending audit log messages to syslog:

example:/config/audit/#> syslog

Disable sending audit log messages to syslog:

example:/config/audit/#> no syslog

no
Disable sending audit log messages to syslog.

Operational Commands

Operational commands related to auditable events can be found in the audit context, located top-level exec context in the CLI:

example:/#> audit
example:/audit/#>
list [eventid | category]

List the audit Categories and EventIDs that exist in the system.

This command will list all of the existing audit event categories and event IDs that can be available for the system.

Note on the Displayed Event IDs

This list shows every possible event ID and category that can be generated by the system. When these events can be generated is dependent on the configuration of the system.

Example

List all available audit event categories and event IDs:

example:/audit/#> list

eventid
List only all available audit event IDs.
category
List only all available audit event categories.
[show] status

Display basic status information about the internal audit ring buffer.

This command will display the current status of the internal audit ring buffer, including the number of entries currently stored in the buffer.

Example

Display the current status of the audit ring buffer:

example:/audit/#> status
AUDIT RING-BUFFER STATUS                                                      
Ring buffer count     : 72
Ring buffer used size : 5.41 KB
Ring buffer max size  : 1.00 MB

clear

Clear the internal audit ring buffer.

This command will clear the internal audit ring buffer, removing all locally stored audit events.

Authorized Users Only

This command is only accessible by administrator level users.

Example

Clear the internal audit ring buffer:

example:/audit/#> clear
Are you sure you want to clear the audit log? (y/N) y
Clearing audit log…
example:/audit/#>

Viewing Auditable Events

Auditable events can be accessed and viewed in the CLI, from the audit context, accessed from the top level exec context:

example:/#> audit
example:/audit/#>

By default, when show commands are executed, the audit log will be attempted to be displayed in an interactive mode. This mode will display the audit log in a paginated format. If this is undesired, the entire terminal can be set to no interactive. Be aware that this will set no interactive mode for the entire CLI. Simply call interactive to re-enable the interactive mode.

Interactive Mode Over Console Connection

Be aware that by default when accessing the audit log though the CLI, the CLI will attempt to display the audit log in an interactive mode. Doing this over a console connection can be sluggish, as the output speed is limited by the baud rate of the connection.

Interactive Mode and Terminal Size

The interactive mode will attempt to display the audit log in a paginated format, based on the terminal size.

If the terminal size is not deemed large enough, the interactive mode will not be used, and the output will be displayed in a single page.

show

Display the entire internal audit ring buffer.

This command will display the entire internal audit ring buffer, showing all of the stored audit events.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entire audit ring buffer:

example:/audit/#> show
╒ Audit log ring buffer, entries 1-4 of 149 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│215  2025-03-10  Info            root           Control System …    interface vlan1 ip              │
│     12:42:57    Security        system         DHCP Client Lea…    198.18.1.101 mask 24 broadcast  │
│                                                0x3000000000050003  198.18.1.255 router 198.18.1.99 │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 38 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

show last [NUMBER]

Display the last [NUMBER] of entries in the internal audit ring buffer.

This command will display the last [NUMBER] of entries in the internal audit ring buffer.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the last 3 entries in the audit ring buffer:

example:/audit/#> show last 3
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│216  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:14    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

NUMBER
The number of entries to display, provided as an integer.
show range [START] [NUM]

Display a range of entries in the internal audit ring buffer.

This command will display [NUM] entries in the internal audit ring buffer, starting from entry [START].

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display 3 entries beginning from the 6th entry in the audit ring buffer:

example:/audit/#> show range 6 8
╒ Audit log ring buffer, entries 6-8 of 8 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize
example:/#>

show time [[YYYY-MM[-DD]] [hh:mm[:ss]]] [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer within the specified time range.

This command will display the entries in the internal audit ring buffer that fall within the specified time range.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that fall within the time range from 2025-03-10 12:48:30 to 2025-03-10 12:48:50:

example:/audit/#> show time 2025-03-10 12:48:30 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show from [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer from the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls after the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated from 2025-03-10 12:48:30:

example:/audit/#> show from 2025-03-10 12:48:30
╒ Audit log ring buffer, entries 9-12 of 12 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│220  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:50:53    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 2 of 2 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show to [[YYYY-MM[-DD]] [hh:mm[:ss]]]

Display the entries in the internal audit ring buffer to the specified time.

This command will display the entries in the internal audit ring buffer that have been generated with a timestamp that falls before the specified time.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that have been generated to 2025-03-10 12:48:50:

example:/audit/#> show to 2025-03-10 12:48:50
╒ Audit log ring buffer, entries 1-3 of 148 ═════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE      EVENTID             MESSAGE                         │
│219  2025-03-10  Info            admin          Audit Log Event     Entire audit log displayed      │
│     12:48:46    Security        administrator  Display             from the CLI.                   │
│                                                0x6000000000010000                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│218  2025-03-10  Notice          root           Access Control      Authentication successful for   │
│     12:48:37    Auth            system         SSH login Success   user ‘admin’ from 198.18.1.99   │
│                                                0x1000000000010020                                  │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root           Access Control      SSH login exit for user         │
│     12:48:34    Auth            system         SSH login Exit      ‘admin’ from 198.18.1.99:33202  │
│                                                0x1000000000010021                                  │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 50 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

YYYY
The year, provided as an integer.
MM
The month, provided as an integer between 1 and 12.
DD
The day, provided as an integer between 1 and 31.
hh
The hour, provided as an integer between 0 and 23.
mm
The minute, provided as an integer between 0 and 59.
ss
The second, provided as an integer between 0 and 59.
show search [case] "STRING"

Display the entries in the internal audit ring buffer that contain the specified string.

This command will display the entries in the internal audit ring buffer that contain the specified string. The provided search string supports regular expressions. The search string will search based on the Event ID and the message of the audit event.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that contain the string SSH login:

example:/audit/#> show search “SSH login”
╒ Audit log ring buffer, entries 1-3 of 3 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

case
If the case argument is provided, the search will be case sensitive.
"STRING"
The string to search for, provided in double quotes. This is a free-form string that supports regular expressions.
show category CATEGORY

Display the entries in the internal audit ring buffer that belong to the specified category.

This command will display the entries in the internal audit ring buffer that belong to the specified category.

Interactive Mode

The output will, by default, be displayed in an interactive mode, if the terminal allows for it.

Example

Display the entries in the audit ring buffer that belong to the access-control category:

example:/audit/#> show category “access-control”
╒ Audit log ring buffer, entries 1-5 of 5 ═══════════════════════════════════════════════════════════╕
│SEQ  TIME        LEVEL/FACILITY  USER/ROLE  EVENTID             MESSAGE                             │
│218  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:48:37    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│217  2025-03-10  Notice          root       Access Control      SSH login exit for user ‘admin’     │
│     12:48:34    Auth            system     SSH login Exit      from 198.18.1.99:33202              │
│                                            0x1000000000010021                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│115  2025-03-10  Notice          root       Access Control      Authentication successful for user  │
│     12:13:07    Auth            system     SSH login Success   ‘admin’ from 198.18.1.99            │
│                                            0x1000000000010020                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│111  2025-03-10  Notice          admin      Access Control      CLI Domain shell exited             │
│     12:12:51    Auth            admini…    Exit CLI Shell                                          │
│                                            0x1000000000030001                                      │
├────────────────────────────────────────────────────────────────────────────────────────────────────┤
│110  2025-03-10  Notice          admin      Access Control      CLI Domain shell accessed           │
│     12:12:50    Auth            admini…    Enter CLI Shell                                         │
│                                            0x1000000000030000                                      │
└────────────────────────────────────────────────────────────────────────────────────────────────────┘
Page 1 of 1 - Navigation: ‘a’ for previous page, ‘d’ for next page, ‘q’ to quit, ‘r’ to resize

CATEGORY

The category to display, based on the available categories.

TAB Completion

The available categories can be tab completed in the CLI.

show raw

Display the raw audit log file.

This command will display the raw audit log file, showing all of the stored audit events. This is not displaying from the ring buffer storing the audit events, but from a local log file written with syslog. Therefore, the output in this file is how the audit messages would look also when sent to a remote syslog server.

Number of Entries

The number of entries that are stored in the raw audit log file is most likely going to be a lot less than what is stored in the internal audit ring buffer.

Example

Display the raw audit log file:

example:/audit/#> show raw
Mar 10 12:48:34 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010021; username=root; userid=0; userrole=system; seqnum=217; eventidtext=”Access Control - SSH login Exit”; msg=”SSH login exit for user ‘admin’ from 198.18.1.99:33202”;
Mar 10 12:48:37 MySwitch wauditd[1624]: type=”audit”; eventid=0x1000000000010020; username=root; userid=0; userrole=system; seqnum=218; eventidtext=”Access Control - SSH login Success”; msg=”Authentication successful for user ‘admin’ from 198.18.1.99”;
Mar 10 12:48:46 MySwitch wauditd[1624]: type=”audit”; eventid=0x6000000000010000; username=admin; userid=500; userrole=administrator; seqnum=219; eventidtext=”Audit Log Event - Display”; msg=”Entire audit log displayed from the CLI.”;