Consolidating audit-trail logs to an external server

book

Article ID: 168027

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Changing syslog,conf for audit-trail logsSometimes customers want to send audit-trail logs to an external server to consolidate logging in the network.

By default, all the CLI changes are logged in the /var/log/audit_trail.log file on the CPM. It is possible to see these changes by using the "show audit-trail" command.

Cause

This article describes how to change the /etc/syslog.conf file on CPM in order to send all audit-trail logs to an external server.

Resolution

Procedure to process the audit_trail log into an external server
####

Audit logging is controlled by syslogd. Crossbeam uses a reserved facility (local6) to send audit-trail messages.

# tail -1 /etc/syslog.conf
local6.* /var/log/audit_trail.log

Instead of a local file, you can specify an external server to send audit logs. For example:

local6.* @server.com

You must add the server IP address and hostname to the /etc/hosts file and then restart the syslogd process.

# echo "IP server.com" >> /etc/hosts
# service syslogd restart

Workaround

N/A