Understanding Audit Logs in Security Director

The Audit Logs feature in Security Director enables you to track login history, device management tasks, services that were provisioned on devices, and other user-initiated tasks. Tasks that are not initiated by users, such as device-driven activities like resynchronization of network elements, are not recorded in audit logs.

Administrators can use audit logs to review events. For example, administrators can identify the user accounts associated with an event, determine the chronological sequence of events—that is, what happened before and during an event—, and so on.

Note Security Director also tracks all externally initiated non-READ REST APIs, and login and logout APIs.

Administrators can sort and filter audit logs. For example, administrators can use audit log filtering to track user accounts that were added on a specific date, track configuration changes across a particular type of device, view services that were provisioned on specific devices, monitor user login and logout activities over time, and so on.

Note To use the audit log service to monitor user requests and track changes initiated by users, you must be assigned the Audit Log Administrator role.

You can manage the volume of audit log data stored by purging log files from the Junos Space database without archiving them or by purging log files after archiving them. When you archive logs before purging them, the archived log files are saved in a single file in compressed comma-separated values (CSV) format (extension .csv.gz). Audit logs can be archived locally (on the active node in the Junos Space fabric) or to a remote server. When you archive data locally, the archived log files are saved in the /var/lib/mysql/archive directory on the active Junos Space node.

You can schedule the purging of audit logs (with or without prior archiving) for a later date and schedule the purging on a recurring basis.

You can export audit logs in CSV format without purging them from the system.