TACACS+ Authentication Manager Help >> Operation Guide >> Device User >> Log Management >> Audit Logs

Audit Logs

Use audit logs to record user login/logoff and user online behaviors. Audit logs include the following types: start, end, update, enter command at CLI, clear online data, and age online data.

After a user successfully logs into a device, TAM records an audit start log. After a user logs off, TAM records an audit end log.

For an online user of a device, the device periodically sends TAM watchdog packets to declare that the user is still online, and TAM records audit update logs.

After a user enters a command at the CLI, TAM records an enter-command-at-CLI log.

When an operator manually clears online user information, TAM records a clear-online-data log. Such a log is similar to an audit end log, which means the end of the user's last access to the device.

When TAM clears aged online users according to the Aging Time specified in the system parameter configuration, TAM records age-online-data logs.

For more information about clearing online user data and aging online users, see Online User Management.

Features

• Query Audit Logs
  
  Perform this task to query audit logs by predefined criteria.

  Procedure

  1. Click the User tab, and then select Device User > Log Management > Audit Logs from the navigation tree.
  2. The Query Audit Logs function provides the basic query and advanced query. You can switch between basic query and advanced query by clicking the Basic Query link and the Advanced Query link in the right upper corner. The basic query criteria include account name, audit type, and audit time. The advanced query criteria include account name, audit type, audit time, device user group, user status, CLI, privilege level, device IP, user IP, session ID, and task ID. Account name and CLI support fuzzy query.
  3. Click Query to display the audit logs matching the query criteria or click Reset to query audit logs with the default query criteria.
• Export Audit Logs
  
  Perform this task to export all audit logs displayed on the audit log list.

  Procedure

  1. Click the User tab, and then select Device User > Log Management > Audit Logs from the navigation tree.
  2. Set the basic or advanced query criteria and click Query.
  3. Click Export.
  4. Select the file format and column separator, and click OK. The result page displays the log export result and provides a link for downloading the file.

Parameters

• CLI: The complete CLI executed by the device user.
• Session ID: For one audit action, the device and the server use the same session ID for packet exchanges.
• Task ID: Task ID for auditing the device user. The audit logs recorded during one login use the same task ID.

Remarks

• Operations to other pages can be performed during the export process. After the export is finished, click the Last Export Result link to view the export result.
• If the device supports watchdog packets, select the Watchdog attribute when adding the device. Then, when the device has an online user, the device periodically sends watchdog packets to the server to declare that the user is still online and the server records audit update logs.
• If you delete online data of an online user, the system can still correctly record audit logs for the user.
• Export formats include text file and CSV table. When exporting logs as a text file, be sure to select the column separator. The separators for a text file include blank space, tab, comma(,), semicolon (;), number sign (#) and dollar sign ($). The CSV format uses commas(,) as the field separators. The Windows default is Excel for opening CSV files. Excel automatically selects the display format according to the contents. For example, 123456789123456789 will be displayed as 1.23457E+17 (scientific notation). In this case, display the data in the text format or use a text edit tool such as Notebook to display the data.
• When Send Syslog Messages is Yes in confguration User > Device User Policy > Service Parameters > System Configuration, TAM will send audit log data packets to destination which Syslog Server IP and Syslog Server Port. The parameters in data packets are:
   
  1. userName: Account Name.
  2. terminal: Terminal.
  3. terminalIp: User IP Address.
  4. deviceIp: Device IP Address
  5. accountType: Audit Type. 2: Start; 4: End; 8: Update; 10: Start Command At CLI; 9: Enter Command At CLI; 100: Clear Online Data; 101: Age Online Data.
  6. command: CLI.
  7. auditTime: Audit Time.
• When Filter "Start" and "End" logs selected, the logs with audit types of Start and End will not be displayed in the query list, and the exported log records do not contain such logs.