Secure Audit Logging
© Copyright Lenovo 2015
Switch Oper equivalent
CN4093(config)# snmpserver user 5 name usr
CN4093(config)# snmpserver access 4 name opergrp
CN4093(config)# snmpserver access 4 readview oper
CN4093(config)# snmpserver access 4 writeview oper
CN4093(config)# snmpserver access 4 notifyview oper
CN4093(config)# snmpserver group 4 username oper
CN4093(config)# snmpserver group 4 groupname opergrp
CN4093(config)# snmpserver view 20 name oper
CN4093(config)# snmpserver view 20 tree 1.3.6.1.4.1.1872.2.5.1.2
CN4093(config)# snmpserver view 21 name oper
CN4093(config)# snmpserver view 21 tree 1.3.6.1.4.1.1872.2.5.1.3
CN4093(config)# snmpserver view 22 name oper
CN4093(config)# snmpserver view 22 tree 1.3.6.1.4.1.1872.2.5.2.2
CN4093(config)# snmpserver view 23 name oper
CN4093(config)# snmpserver view 23 tree 1.3.6.1.4.1.1872.2.5.2.3
CN4093(config)# snmpserver view 24 name oper
CN4093(config)# snmpserver view 24 tree 1.3.6.1.4.1.1872.2.5.2.3
CN4093(config)# snmpserver view 25 name oper
CN4093(config)# snmpserver view 25 tree 1.3.6.1.4.1.1872.2.5.3.3
Flex System managers may use the authentication and encryption protocols of
SNMPv3 to securely audit the switch. The audit logs record activity and severity
for the overall system, user, and application processes. These logs can be used to
trace a userʹs actions, monitor switch alerts, and confirm intrusion detection.
Networking OS uses SNMPv3 authorization to forward the logs securely to the
management tool via the chassis management module (CMM). The switch
supports both retrieving the logs via SNMP ʹGetʹ requests and the forwarding of
event logs via SNMP traps. Supported management tools are xHMC and other
(security and information event management) SIEM tools like Qradar.
Security audit logging refers to the following event types:
NTP Server/DHCP server configuration changes
Switch management IP address changes
OSPF/BGP/RIP authentication changes
Software Resource alert :ARP Table/IP table/Route table/OSPF table full
L3 Link down/up
Note: Audit logging is enabled by default and cannot be disabled. The audit logs
are accessed remotely via SNMPv3 hosts.
Use the following commands to locally manage the logs:
CN4093(config)# show sal reverse (Display most recent logs first)
CN4093(config)# clear sal (Clear audit logs)
(Configure the user)
(Configure access group 3)
(Assign oper to access group 4)
(Create views for oper)
(Agent information)
(L2 statistics)
(L2 information)
(L3 statistics)
(L3 information)
Chapter 37: Simple Network Management Protocol
505