Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
MVP Silver
MVP Silver

Auditing changes in FW

Hello, Mates

Is it possible to “observe” all the changes made by an administrator from the CLI of a FW?

For example, if an administrator changes a route, edits an interface, adds a new interface, configures SNMPv2, configures OSPF... all this from the CLI of a FW...

Is it possible to review this activity performed by an administrator in the logs? Or is it stored somewhere else on the device?

Thanks for your comments.

0 Kudos
7 Replies
the_rock
MVP Gold
MVP Gold

Hey bro,

Smart console changes would be via audit logs, but something like what you described probably either smart event, or /var/log/audit dir.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

On a second thought bro, I know our company uses syslog server for these things, when say someone logs into the firewall, we do get an alert about it.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

1 (5).png

Otherwise you would check /var/log/messages

CCSM R77/R80/ELITE
0 Kudos
Matlu
MVP Silver
MVP Silver

Hi, @Chris_Atkinson 

Does this configuration shown in your image also apply when changes are made via CLI on a firewall?

If a change is successful, for example when you “delete” several VLANs, should we be able to see these changes in the SmartConsole Audit Logs?

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey brother...keep in mind, those changes will NOT show up in smart console audit logs, because thats ONLY for changes made in smart console by default. However, you can make it work the way @Chris_Atkinson posted, you just need to add mgmt server in remote system logging tab. Im sure you know that by default, fw logs will be sent to the management, but not ones you are referring to, unless you set this up first.

I had done that before in the lab and was fine.

Andy

0 Kudos
emmap
Employee
Employee

The audit logs are explicitly for any changed made by CLI on the system. So yes. We recommend you send them to syslog and then configure central syslog server to store them all in one place, so save you having to trawl the messages files on the systems and hope the entries you want haven't rotated away.

0 Kudos
Henrik_Noerr1
Advisor

You need to implement sk99134 or you will not know what your privileged users are doing

/Henrik

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events