Audit Events Generated by the Appliance CLI

Audit Events Generated by the Appliance CLI

You can audit various actions taken on the appliance, such as all shutdown and startup events, all login/logout attempts, SSH connection attempts from an IP address that is not allowlisted (see Manage SSH Connections by Allowlisting an IP ), and all commands executed by the users on the nsshell (except configure and exit). All commands are logged whether or not they succeed.

As a security measure, you can forward all the appliance command logs to your syslog or SIEM server. Currently, TCP and UDP-based syslog are supported.

To configure the syslog server destination:

  1. Open nsshell to the appliance and enter these commands:
    add audit-logging destinations
    #{server response should be} added index 0
    
    set audit-logging destinations 0 host <hostname>
    set audit-logging destinations 0 port <port number>
    set audit-logging destinations 0 protocol [TCP | UDP]
    set audit-logging enable true

    Tip

    Enter false in the last command to turn off this feature.

  2. Once enabled, review the log file on the system specified in the host and port commands.

Output Format

<Date> <Time> <Syslog Facility> {"user": <username>, "cmd": <log message or command>, "mode":<auth | config | op>} 
  • Date: Date
  • Time: Time
  • Syslog Facility: We are using 14 which is “log alert”
  • cmd: This depends on the “mode” (see next).

    If the mode is “auth”, cmd contains the log message related to authentication activity (log in, log out). If the mode is “config” or “op”, it shows the actual CLI command run. 

  • mode: Tells which mode the command is being run. These modes are available:
    • auth: representing activity as per /var/log/auth.log (log in attempts etc.)
    • config: CLI mode that allows user to configure various settings
    • op: OP mode representing operational commands like show, restart, status etc.
Share this Doc

Audit Events Generated by the Appliance CLI

Or copy link

In this topic ...