History For Router Security Audit Logs Feature Release Modification
History For Router Security Audit Logs Feature Release Modification
The Router Security Audit Logs feature allows users to configure audit trails, which track changes that
have been made to a router that is running Cisco IOS software.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for Router Security Audit Logs, page 2
• Information About Router Security Audit Logs, page 2
• How to Use Router Security Audit Logs, page 3
• Configuration Examples for Using Router Security Audit Logs, page 6
• Additional References, page 7
• Command Reference, page 8
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
2
Router Security Audit Logs
How to Use Router Security Audit Logs
SUMMARY STEPS
1. enable
2. configure terminal
3. audit filesize size
4. audit interval seconds
5. exit
6. show audit [filestat]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 audit filesize size (Optional) Changes the size of the audit file.
• size—Size of the audit file in KB. Valid values range
Example: from 32 KB to 128 KB. 32 KB is the default size.
Router(config)# audit filesize 128
Note Because the audit file is circular, this command
determines the number of messages that can be
stored on the disk before a wrap around occurs.
Step 4 audit interval seconds (Optional) Changes the time interval that is used for
calculating hashes.
Example: • seconds—Time interval, in seconds, between hash
Router(config)# audit interval 120 calculations. Valid values range from 120 seconds to
3600 seconds. The default value is 300 seconds
(5 minutes).
3
Router Security Audit Logs
How to Use Router Security Audit Logs
Example:
Router(config)# exit
Step 6 show audit [filestat] (Optional) Displays the contents of an audit file.
• filestat—Displays the rollover counter for the circular
Example: buffer and the number of messages that are received.
Router# show audit
The rollover counter, which indicates the number of
times circular buffer has been overwritten, is reset when
the audit filesize is changed (via the audit filesize
command).
Example
The following example is sample output from the show audit command:
Router# show audit
*Sep 14 18:37:31.535:%AUDIT-1-RUN_VERSION:Hash:
24D98B13B87D106E7E6A7E5D1B3CE0AD User:
*Sep 14 18:37:31.583:%AUDIT-1-RUN_CONFIG:Hash:
4AC2D776AA6FCA8FD7653CEB8969B695 User:
*Sep 14 18:37:31.595:%AUDIT-1-STARTUP_CONFIG:Hash:
95DD497B1BB61AB33A629124CBFEC0FC User:
*Sep 14 18:37:32.107:%AUDIT-1-FILESYSTEM:Hash:
330E7111F2B526F0B850C24ED5774EDE User:
*Sep 14 18:37:32.107:%AUDIT-1-HARDWARE_CONFIG:Hash:
32F66463DDA802CC9171AF6386663D20 User:
Field Description
AUDIT-1-RUN_VERSION:Hash: Running version, which is a hash of the information that is
24D98B13B87D106E7E6A7E5D1B3CE0AD provided in the output of the show version command:
User:
running version, ROM information, BOOTLDR
information, system image file, system and processor
information, and configuration register contents.
AUDIT-1-RUN_CONFIG:Hash: Running configuration, which is a hash of the running
4AC2D776AA6FCA8FD7653CEB8969B695 configuration.
User:
AUDIT-1-STARTUP_CONFIG:Hash: Startup configuration, which is a hash of the contents of the
95DD497B1BB61AB33A629124CBFEC0FC files on NVRAM, which includes the startup-config,
User:
private-config, underlying-config, and persistent-data.
4
Router Security Audit Logs
How to Use Router Security Audit Logs
Field Description
AUDIT-1-FILESYSTEM:Hash: File system, which is a hash of the dir information on all of
330E7111F2B526F0B850C24ED5774EDE the flash file systems, which includes bootflash and any
User:
other flash file systems on the router.
AUDIT-1-HARDWARE_CONFIG:Hash:32F6646 Hardware configuration, which is a hash of
3DDA802CC9171AF6386663D20 User: platform-specific information that is generally provided in
the output of the show diag command.
Troubleshooting Tips
Although the show audit command displays audit file information such as the timestamp and what area
is being hashed (such as the file system or hardware configuration), a description of what changes were
attempted is not available. To view more detailed information regarding the hashes, use the debug audit
command.
SUMMARY STEPS
1. enable
2. debug audit
DETAILED STEPS
Example:
Router# debug audit
Examples
The following example is sample output from the debug audit command:
Router# debug audit
*Sep 14 18:37:31.535:%AUDIT-1-RUN_VERSION:Hash:
5
Router Security Audit Logs
Configuration Examples for Using Router Security Audit Logs
24D98B13B87D106E7E6A7E5D1B3CE0AD User:
*Sep 14 18:37:31.583:%AUDIT-1-RUN_CONFIG:Hash:
4AC2D776AA6FCA8FD7653CEB8969B695 User:
*Sep 14 18:37:31.587:Audit:Trying to hash nvram:startup-config
*Sep 14 18:37:31.587:Audit:nvram:startup-config Done.
*Sep 14 18:37:31.587:Audit:Trying to hash nvram:private-config
*Sep 14 18:37:31.591:Audit:nvram:private-config Done.
*Sep 14 18:37:31.591:Audit:Trying to hash nvram:underlying-config
*Sep 14 18:37:31.591:Audit:nvram:underlying-config Done.
*Sep 14 18:37:31.591:Audit:Trying to hash nvram:persistent-data
*Sep 14 18:37:31.591:Audit:nvram:persistent-data Done.
*Sep 14 18:37:31.595:Audit:Trying to hash nvram:ifIndex-table
*Sep 14 18:37:31.595:Audit:Skipping nvram:ifIndex-table
*Sep 14 18:37:31.595:%AUDIT-1-STARTUP_CONFIG:Hash:
95DD497B1BB61AB33A629124CBFEC0FC User:
*Sep 14 18:37:31.595:Audit:Trying to hash filesystem disk0:
*Sep 14 18:37:31.775:Audit:Trying to hash attributes of
disk0:c7200-p-mz.120-23.S
*Sep 14 18:37:32.103:Audit:disk0:c7200-p-mz.120-23.S DONE
*Sep 14 18:37:32.103:Audit:disk0:DONE
*Sep 14 18:37:32.103:Audit:Trying to hash filesystem bootflash:
*Sep 14 18:37:32.103:Audit:Trying to hash attributes of
bootflash:c7200-kboot-mz.121-8a.E
*Sep 14 18:37:32.107:Audit:bootflash:c7200-kboot-mz.121-8a.E DONE
*Sep 14 18:37:32.107:Audit:Trying to hash attributes of
bootflash:crashinfo_20030115-182547
*Sep 14 18:37:32.107:Audit:bootflash:crashinfo_20030115-182547 DONE
*Sep 14 18:37:32.107:Audit:Trying to hash attributes of
bootflash:crashinfo_20030115-212157
*Sep 14 18:37:32.107:Audit:bootflash:crashinfo_20030115-212157 DONE
*Sep 14 18:37:32.107:Audit:Trying to hash attributes of
bootflash:crashinfo_20030603-155534
*Sep 14 18:37:32.107:Audit:bootflash:crashinfo_20030603-155534 DONE
*Sep 14 18:37:32.107:Audit:bootflash:DONE
*Sep 14 18:37:32.107:%AUDIT-1-FILESYSTEM:Hash:
330E7111F2B526F0B850C24ED5774EDE User:
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for 7206VXR chassis,
Hw Serial#:28710795, Hw Revision:A
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for NPE 400 Card, Hw
Serial#:28710795, Hw Revision:A
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for I/O Dual
FastEthernet Controller
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for i82543
(Livengood)
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for i82543
(Livengood)
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:Audit:Hashing entitymib entry for Chassis Slot
*Sep 14 18:37:32.107:%AUDIT-1-HARDWARE_CONFIG:Hash:
32F66463DDA802CC9171AF6386663D20 User:
6
Router Security Audit Logs
Additional References
Additional References
The following sections provide references related to Router Security Audit Logs.
7
Router Security Audit Logs
Command Reference
Related Documents
Related Topic Document Title
System startup and file maintenance The section “File Management” in the Cisco IOS Configuration
Fundamentals Configuration Guide
File maintenance commands Cisco IOS Configuration Fundamentals Command Reference,
Release 12.2
Standards
Standards Title
None —
MIBs
MIBs MIBs Link
None To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
None —
Technical Assistance
Description Link
The Cisco Technical Support website contains http://www.cisco.com/techsupport
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
Command Reference
The following commands are introduced or modified in the feature or features
• audit filesize
• audit interval
8
Router Security Audit Logs
Command Reference
• debug audit
• show audit
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
9
Router Security Audit Logs
Command Reference
10