Monitoring the Audit Log

This chapter describes how to monitor authentication activity and privileged operation events in the audit log. JUNOScope auditable events are stored in the JUNOScope database and are subsequently sent to the system log server and an optional RADIUS accounting server if one is configured (see Figure 6).

Figure 6: JUNOScope Security-Enhanced Sensitive Data Logging

Authentication activity events include the following:

• User logs in
• Login attempt failures because of an invalid username and/or password
• User logs out
• User session times out

Privileged operation events are user actions that change information in the JUNOScope system or in the network. Privileged events include the following:

• Configuration is committed on a device from the Configuration Editor
• Configuration is archived from a device
• Configuration is restored to a device
• User account is created
• User account is deleted
• User password is changed
• Device is added
• Device is deleted
• Label association is changed
• Access method is changed
• Authentication information is changed

Each audit record includes the date and time, event category, event type, username, and client IP address.

In addition to the internal audit log, audit events are also forwarded to the local syslog server and the configured RADIUS server (if any) as RADIUS accounting messages.

You must have superuser permission to view the audit log.

This chapter includes the following topic:

• Displaying the Audit Log