Manualshelf

Users Guide

ManualsBrandsDell ManualsComputer equipmentBrocade M5424
101102103104105106107108109110
Fabric OS Administrator’s Guide 109
53-1002920-02
Audit log configuration
3
Verifying host syslog prior to configuring the audit log
Audit logging assumes that your syslog is operational and running. Before configuring an audit log,
you must perform the following steps to ensure that the host syslog is operational.
1. Set up an external host machine with a system message log daemon running to receive the
audit events that will be generated.
2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to
add the IP address of the host machine so that it can receive the audit events.
You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command.
3. Ensure the network is configured with a network connection between the switch and the
remote host.
4. Check the host syslog configuration. If all error levels are not configured, you may not see some
of the audit messages.
Configuring an audit log for specific event classes
1. Connect to the switch from which you want to generate an audit log and log in using an account
with admin permissions.
2. Enter the auditCfg --class command, which defines the specific event classes to be filtered.
switch:admin> auditcfg --class 2,4
Audit filter is configured.
3. Enter the auditCfg --enable command, which enables audit event logging based on the classes
configured in step 2.
switch:admin> auditcfg --enable
Audit filter is enabled.
To disable an audit event configuration, enter the auditCfg --disable command.
4. Enter the auditCfg --show command to view the filter configuration and confirm that the
correct event classes are being audited, and the correct filter state appears (enabled or
disabled).
switch:admin> auditcfg --show
Audit filter is enabled.
2-SECURITY
4-FIRMWARE
5. Enter the auditDump -s command to confirm that the audit messages are being generated.
Example of the syslog (system message log) output for audit logging
Oct 10 08:52:06 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT),
[SEC-3020], INFO, SECURITY, admin/admin/10.3.220.13/telnet/CLI,
ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login
attempt via REMOTE, IP Addr: 10.3.220.13.
Oct 10 08:52:23 10.3.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN
10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed
successfully. All config parameters are uploaded.