Audit Trail; Audit Trail Log Entries; Audit Trail Capacities - Cisco ONS 15600 Reference Manual

Chapter 5 Security

5.3 Audit Trail

The ONS 15600 maintains a GR-839-compliant audit trail log that resides on the TSC card. This record
shows who has accessed the system and what operations were performed during a given period of time.
The log includes authorized Cisco logins and logouts using the operating system command line interface
(CLI), CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system
generated actions.
Event monitoring is also recorded in the audit log. An event is defined as the change in status of an
element within the network. External events, internal events, attribute changes, and software
upload/download activities are recorded in the audit trail.
Audit trails are useful for maintaining security, recovering lost transactions and enforcing accountability.
Accountability is the ability to trace user activities and is done by associating a process or action with a
specific user. To view the audit trail log, refer to the "Manage Alarms" chapter in the Cisco ONS 15600
Procedure Guide. Users can access the audit trail logs from any management interface (CTC, CTM,
TL1).
The audit trail is stored in persistent memory and is not corrupted by processor switches, resets or
upgrades. However, if a user pulls both TSC cards, the audit trail log is lost.

5.3.1 Audit Trail Log Entries

Audit trail records capture the following activities:
•
•
•
•
•
•
•
•
•
•
•

5.3.2 Audit Trail Capacities

The system is able to store 640 log entries.When this limit is reached, the oldest entries are overwritten
with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is raised and
logged (by way of CORBA/CTC).
When the log server reaches a maximum capacity of 640 entries and begins overwriting records that were
not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit trail
records have been lost. Until the user off-loads the file, this event occurs once regardless of the amount
of entries that are overwritten by the system. To export the audit trail log, refer to the Cisco ONS 15600
Procedure Guide.
User—Name of the user performing the action
Host—Host from where the activity is logged
Device ID—IP address of the device involved in the activity
Application—Name of the application involved in the activity
Task—Name of the task involved in the activity (View a dialog, apply configuration and so on)
Connection Mode—Telnet, Console, SNMP
Category—Type of change; Hardware, Software, Configuration
Status—Status of the user action (Read, Initial, Successful, Timeout, Failed)
Time—Time of change
Message Type—Denotes if the event is Success/Failure type
Message Details—A description of the change
Cisco ONS 15600 Reference Manual, R8.0
5.3 Audit Trail
5-7