Overview

The SBC supports enabling or disabling the audit logs to start or stop the auditd service, which is used to write the audit logs. The SBC is enhanced to configure a remote server IP address, port, and protocol type to push the audit logs to the remote server.

The following fields are added to the object platformAuditLogs to support pushing the audit logs to a remote server.

  • a remote host IP address
  • a port number
  • a protocol type

When these fields are configured and the object platformAuditLogs is enabled, the /etc/rsyslog.conf file is configured automatically to send the audit logs to the remote server. The /etc/rsyslog.conf file sends the /var/log/audit/audit.log to the remote server's /var/log/messages file. The remote server's /etc/rsyslog.conf file must match the configuration of the SBC to receive the audit logs. The SBC automatically adds an Access Control List (ACL) rule to send the audit logs through the application layer to the remote server.

Note
  • The SBC logs the audit logs when the object platformAuditLogs is enabled.
  • The ACL rule is removed automatically from the default ACL rules when the object platformAuditLogs is disabled.
  • For a High Availability (HA) pair, the /etc/rsyslog.conf file is updated both on the Active and the Standby SBCs to push the audit logs to the remote server.


Perform the following steps to push the audit logs to the remote server:

Configuring the Remote Host IP Address, Port Number, and Protocol Type

To configure the remote host IP address, port number, and protocol type of the remote server, execute the following command:

% set oam eventLog platformAuditLogs auditLogRemoteHost 10.6.81.247 auditLogPort 514 auditLogProtocolType tcp

% commit 
Note

To configure the IP address, port, and protocol types of the remote server, the object platformAuditLog must be disabled.

Enabling the platformAuditLogs

To enable the object platformAuditLogs, execute the following command:

% set oam eventLog platformAuditLogs state enabled 

% commit

Viewing the ACL Rule

Note

The SBC automatically adds an ACL rule to send the audit logs through the application layer to the remote server.

To view the defaultAclStatistics, run the following command:


Note

The Bucket Size value is insignificant if the Fill Rate value is unlimited.

  • The Fill Rate is the maximum rate you expect for the traffic to pass the policer.
  • The Bucket Size is the number of additional packets allowed to pass in a given period if available packets are in the bucket. The credit balance is consumed before the packets are discarded.

If the ACL rules with action = discard, the Fill Rate and the Bucket Size values are irrelevant, and the packets are dropped based on the Type, IP address, or Port.

The Fill Rate and the Bucket Size parameters do not play any role since the policer portion of an ACL is only applicable for the "accept" action and is ignored with the "discard" action since all the packets are already discarded by the criteria.

> show table addressContext default ipAccessControlList defaultAclStatistics 
                                                                                       
                            ADDRESS  LIF
ACL                         CONTEXT  GRP                                            POLICING  BUCKET                POL  POL       PACKET  PACKET  Agg 
ID   PROTOCOL  APPLICATION  ID       ID   SOURCE IP ADDRESS  DESTINATION IP ADDRESS MODE      SIZE     CREDIT RATE  ID   PRIORITY  ACCEPT  DISCARD POL OWNER
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
194  TCP       auditlog     1        1    10.6.81.247/32(514) *(0)                  PktRate   50 pkt   50 pkt/s     19   1         716     0       OAM SBX5000