Secure Audit Logging
© Copyright Lenovo 2018
Flex System managers may use the authentication and encryption protocols of
SNMPv3 to securely audit the switch. The audit logs record activity and severity
for the overall system, user, and application processes. These logs can be used to
trace a userʹs actions, monitor switch alerts, and confirm intrusion detection.
Networking OS uses SNMPv3 authorization to forward the logs securely to the
management tool via the chassis management module (CMM). The switch
supports both retrieving the logs via SNMP ʹGetʹ requests and the forwarding of
event logs via SNMP traps. Supported management tools are xHMC and other
(security and information event management) SIEM tools like Qradar.
Security audit logging refers to the following event types:
NTP Server/DHCP server configuration changes
Switch management IP address changes
OSPF/BGP/RIP authentication changes
Software Resource alert :ARP Table/IP table/Route table/OSPF table full
L3 Link down/up
Note: Audit logging is enabled by default and cannot be disabled. The audit logs
are accessed remotely via SNMPv3 hosts.
Use the following commands to locally manage the logs:
NE2552E(config)# show sal reverse
NE2552E(config)# clear sal
(Display most recent logs first)
(Clear audit logs)
Chapter 34: Simple Network Management Protocol
483