Using Audit Logs

The Audit logs record AAA (Authentication, Authorization, and Accounting) events. Most information is at the debug or trace level.

Example of Audit Log Entries:

• In this example, the log shows when a user (for example, admin):

  • Logged in to the web interface of the appliance.

  • Logged out of the web interface of the appliance.

  Tue Aug 25 12:33:17 2020 Info: Appliance: mail1.example.com,
  Interaction Mode: GUI, User: admin, Source IP: 192.168.1.1, Destination IP: 192.168.2.2,
  Event: Successful login
  Tue Aug 25 12:33:17 2020 Info: Appliance: mail1.example.com,
  Interaction Mode: GUI, User: admin, Source IP: 192.168.1.1, Event: Session established successfully
  Tue Aug 25 12:33:58 2020 Info: Appliance: mail1.example.com,
  Interaction Mode: GUI, User: admin, Source IP: 192.168.1.1, Event: User logged out
  Tue Aug 25 12:33:58 2020 Info: Appliance: mail1.example.com,
  Interaction Mode: GUI, User: admin, Source IP: 192.168.1.1, Event: Session terminated

• In this example, the log shows that a user (for example, admin) entered the logconfig CLI command.

  Thu Oct 8 13:33:38 2020 Info: Appliance: mail1.example.com, Interaction Mode: CLI,
  User: admin,
  Source IP: 192.168.1.1, Event: User input was 'logconfig'
  Thu Oct 8 13:33:46 2020 Info: Appliance: mail1.example.com, Interaction Mode: CLI,
  User: admin,
  Source IP: 192.168.1.1, Event: User input was 'Enter'

• In this example, the log shows that a user (for example, admin) viewed the GUI pages on the legacy web interface of the appliance.

  Thu Oct 8 13:35:07 2020 Info: Appliance: mail1.example.com, Interaction Mode: GUI,
  User: admin,
  Source IP: 192.168.1.1, Location: /network/dns, Event: User visited the web page.

• In this example, the log shows that a new user (for example, admin) is added to the appliance using the web interface, but the changes are not committed.

  Thu Oct 8 13:36:30 2020 Info: Appliance: mail1.example.com, Interaction Mode: GUI,
  User: admin,
  Source IP: 192.168.1.1, Location: /system_administration/access/users, Event: Added
  user "admin" and changes
  will reflect after commit.
  Thu Oct 8 13:37:22 2020 Info: Appliance: mail1.example.com, Interaction Mode: GUI,
  User: admin,
  Source IP: 192.168.1.1, Location: /system_administration/access/users, Event: Deleted
  user "admin" and changes
  will reflect after commit.

• In this example, the log shows that a user (for example, admin) discarded all the changes that were not committed on the web interface of the appliance.

  Thu Oct 8 13:39:44 2020 Info: Appliance: mail1.example.com, Interaction Mode: GUI,
  User: admin,
  Source IP: 192.168.1.1, Location: /commit, Event: User discarded all uncommitted changes.

• In this example, the log shows that a user (for example, admin) discarded all the changes that were not committed through the CLI.

  Thu Oct 8 13:41:38 2020 Info: Appliance: mail1.example.com, Interaction Mode: CLI,
  User: admin,
  Source IP: 192.168.1.1, Event: User discarded all uncommitted changes.

• In this example, the log shows that a user (for example, admin) made configuration changes to the Web UI session timeout.

  Note	You can view more details of the configuration changes made in your appliance by viewing the Configuration History Logs or by enabling the debug mode for the audit logs.

  Thu Oct 8 13:45:46 2020 Info: Appliance: mail1.example.com, User: admin,
  Event: The following configuration changes were commited with comment - 'N/A'
  Thu Oct 8 13:45:46 2020 Info: * [standalone] Number of seconds before the Web UI session
  times out.

• In this example, the log shows that the AsyncOS APIs could not fetch the log subscriptions because the authentication failed.

  Thu Oct 8 13:52:28 2020 Debug: 08/Oct/2020 13:52:28 +0000 Error - Code: 401,
  Details: Unauthorized (No permission -- see authorization schemes)
  Thu Oct 8 13:52:28 2020 Info: Appliance: mail1.example.com, Interaction Mode: API,
  User: admin, Role: Role Not Available, Source IP: 192.168.1.1, Destination IP:
  192.168.2.2,
  Location: GET /sma/api/v2.0/config/logs/subscriptions/ HTTP/1.0, Event: User is not
  valid.

• In this example, the log shows that the AsyncOS APIs could fetch the log subscriptions because the authentication was successful.

  Thu Oct 8 13:52:37 2020 Info: Appliance: mail1.example.com, Interaction Mode: API,
  User: admin, Role: Administrator, Source IP: 192.168.1.1, Destination IP: 192.168.2.2,
  Location: GET /sma/api/v2.0/config/logs/subscriptions/ HTTP/1.0, Event: API Access
  Success.

• In this example, the log shows that:

  • A new user (for example, admin) is added to the appliance using the CLI, but the changes were not committed.

  • The existing user account details are updated in the appliance using the CLI, but the changes were not committed.

    Thu Oct 8 13:42:48 2020 Info: Appliance: mail1.example.com, Interaction Mode: CLI,
    User: admin, Source IP: 192.168.1.1, Event: Added user "hops" and changes will reflect
    after commit
    Thu Oct 8 13:43:26 2020 Info: Appliance: mail1.example.com, Interaction Mode: CLI,
    User: admin,
    Source IP: 192.168.1.1, Event: Updated user "hops" and changes will reflect after commit

• In this example, the log shows that a user (for example, admin) performed a message tracking search on the new web interface of the appliance.

  User: admin,
  Role: Administrator, Source IP: 192.168.1.1, Destination IP: 192.168.2.2,
  Location: GET /sma/api/v2.0/message-tracking/messages?startDate=2020-10-12T00:00:00.000Z
  &endDate=2020-10-12T04:13:00.000Z&ciscoHost=All_Hosts&searchOption=messages&offset=0&limit=100
  HTTP/1.0,
  Event: API Access Success.

  Note	The actions that you perform on the new web interface of the appliance (for example, tracking, reporting, or quarantine search) are recorded as logs based on the corresponding APIs used for these actions.