Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding Searching and Sorting Audit Log

 

An audit administrator analyzes the audit trail, reviews the audit record, and deletes the audit trail for maintenance purposes. The search and sort capability provides an efficient mechanism to the audit administrator for viewing pertinent audit information. This helps the audit administrator to identify potential security violations and take action against possible security breaches. The audit log can be viewed by all the administrators (such as Audit, Cryptographic, Security, and IDS administrators) . An IDS audit log can be viewed only by IDS audit administrator.

The security administrator can configure audit events and set thresholds that could indicate a potential security violation. The device monitors the occurrences of these events and notifies the administrator after an event has occurred or a set threshold has been met.

The audit administrator can search or group the audit log data based on the following:

  • Destination subject identity

  • Source subject identity

  • Range of date, time, user identities, subject service identifiers, or Transport Layer protocol

  • Rule identity

  • User identity

  • Network interface

  • Success of auditable security events

  • Failure of auditable security events

Note
  • The device sends an alarm to the console or the security alarm system when the in-memory audit event log exceeds the limit configured by the security administrator. The device then overwrites the oldest log messages with the new audit event log messages.

  • During system reboot the device does a commit of the existing configuration including login classes. Therefore, there will be audit log entries for all user-defined classes indicating that they have been modified.