Monitoring and Maintaining the Audit Log

This chapter describes how to monitor authentication activity and privileged operation events in the audit log. JUNOScope auditable events are stored in the JUNOScope database and are subsequently sent to the system log server and an optional RADIUS accounting server if one is configured (see Figure 11). This chapter also describes how to purge the audit log table, after audit log records accumulate over a period of time, to reclaim disk space on the JUNOScope server.

Figure 11: JUNOScope Security-Enhanced Sensitive Data Logging

Authentication activity events include the following:

• User logs in
• Login attempt failures because of an invalid username and/or password
• User logs out
• User session times out

Privileged operation events are user actions that change information in the JUNOScope system or in the network. Privileged events include the following:

• Configuration is committed on a device from the Configuration Editor
• Configuration is archived from a device
• Configuration is restored to a device
• User account is created
• User account is deleted
• User password is changed
• Device is added
• Device is deleted
• Label association is changed
• Access method is changed
• Authentication information is changed

Each audit record includes the date and time, event category, event type, username, and client IP address.

In addition to the internal audit log, audit events are also forwarded to the local syslog server and the configured RADIUS server (if any) as RADIUS accounting messages.

You must have superuser permission to view the audit log.

This chapter includes the following topic:

• Displaying the Audit Log
• Purging the Audit Log Table

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.