Configuring An Audit Log For Specific Event Classes - Brocade Communications Systems 1606 Administrator's Manual
Fabric os administrator's guide v6.4.0 (53-1001763-01, june 2010)
Hide thumbs
Also See for 1606:
- Command reference manual (988 pages) ,
- Reference (792 pages) ,
- Administrator's manual (592 pages)
Table of Contents
Advertisement
1. Set up an external host machine with a system message log daemon running to receive the
2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to
3. Ensure the network is configured with a network connection between the switch and the
4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see
Configuring an audit log for specific event classes
1. Connect to the switch from which you want to generate an audit log and log in using an account
2. Enter the auditCfg
3. Enter the auditCfg
4. Enter the auditCfg
5. Verify the audit event log setup by making a change affecting an enabled event class and
Example of the SYSLOG (system message log) output for audit logging
Fabric OS Administrator's Guide
53-1001763-01
audit events that will be generated.
add the IP address of the host machine so that it can receive the audit events.
You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command.
remote host.
some of the audit messages.
assigned to the admin role.
class command, which defines the specific event classes to be filtered.
--
switch:admin> auditcfg --class 2,4
Audit filter is configured.
The auditCfg event class operands are identified in
enable command, which enables audit event logging based on the
--
classes configured in
step
switch:admin> auditcfg --enable
Audit filter is enabled.
To disable an audit event configuration, enter the auditCfg
show command to view the filter configuration and confirm that the
--
correct event classes are being audited, and the correct filter state appears (enabled or
disabled).
switch:admin> auditcfg --show
Audit filter is enabled.
2-SECURITY
4-FIRMWARE
confirming that the remote host machine receives the audit event messages.
Oct 10 08:52:06 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT),
[SEC-3020], INFO, SECURITY, admin/admin/10.3.220.13/telnet/CLI,
ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login
attempt via REMOTE, IP Addr: 10.3.220.13.
Oct 10 08:52:23 10.3.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN
10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed
successfully. All config parameters are uploaded.
Oct 10 09:00:04 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT),
[SEC-3021], INFO, SECURITY, admin/NONE/10.3.220.13/None/CLI, None/ras007/FID
128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP
Addr: 10.3.220.13.
2.
Audit log configuration
Table 7
on page 60.
disable command.
--
3
61
Advertisement
Table of Contents
