In this section:
The SBC supports enabling or disabling the audit logs to start or stop the auditd service, which is used to write the audit logs. The SBC is enhanced to configure a remote server IP address, port, and protocol type to push the audit logs to the remote server. The following fields are added to the object When these fields are configured and the object For a High Availability (HA) pair, the platformAuditLogs
to support pushing the audit logs to a remote server.platformAuditLogs
is enabled, the /etc/
rsyslog.conf
file is configured automatically to send the audit logs to the remote server. The
file sends the/etc/
rsyslog.conf /var/log/audit/audit.log
to the remote server's /var/log/messages
file. The remote server's /etc/rsyslog.conf
file must match the configuration of the SBC to receive the audit logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.platformAuditLogs
is enabled.platformAuditLogs
is disabled.
file is updated both on the Active and the Standby SBCs to push the audit logs to the remote server./etc/
rsyslog.conf
Perform the following steps to push the audit logs to the remote server:
To configure the remote host IP address, port number, and protocol type of the remote server, execute the following command:
% set oam eventLog platformAuditLogs auditLogRemoteHost 10.6.81.247 auditLogPort 514 auditLogProtocolType tcp % commit
To configure the IP address, port, and protocol types of the remote server, the object platformAuditLog
must be disabled.
platformAuditLogs
To enable the object platformAuditLogs
, execute the following command:
% set oam eventLog platformAuditLogs state enabled % commit
The Bucket Size value is insignificant if the Fill Rate value is unlimited. If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port. The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.
The SBC automatically adds an ACL rule to send the audit logs through the application layer to the remote server.
To view the defaultAclStatistics
, execute the following command:
> show table addressContext default ipAccessControlList defaultAclStatistics ADDRESS LIF ACL CONTEXT GRP POLICING BUCKET POL POL PACKET PACKET Agg ID PROTOCOL APPLICATION ID ID SOURCE IP ADDRESS DESTINATION IP ADDRESS MODE SIZE CREDIT RATE ID PRIORITY ACCEPT DISCARD POL OWNER ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- 194 TCP auditlog 1 1 10.6.81.247/32(514) *(0) PktRate 50 pkt 50 pkt/s 19 1 716 0 OAM SBX5000