Skip to main content

3.10.6 Displaying/Setting the Audit Policy


3.10.6 Displaying/Setting the Audit Policy
  1. Execute the showaudit command to display the audit policy settings.
XSCF> showaudit all
Auditing: enabled
Audit space used: 13713 (bytes)
Audit space free: 4180591 (bytes)
Records dropped: 0
Policy on full trail: count
User global policy: enabled
Mail:
Thresholds: 80% 100%
User policy:
Events:
AEV_AUDIT_START enabled
AEV_AUDIT_STOP enabled
  1. Execute the setaudit command to set the audit policy.
    The following example specifies three users (yyyyy, uuuuu, and nnnnn), with AUDIT and LOGIN enabled for the audit class, the version enabled for audit events, and the global policy disabled for the users.
XSCF> setaudit -a yyyyy,uuuuu,nnnnn=enabe -c
ACS_AUDIT,ACS_LOGIN=enable -e AEV_version=enable -g disable
  1. The following example specifies a warning destination e-mail address, the deleting of new audit records and counting of the deleted records when the amount of audit trails reaches full capacity, and file amount warning thresholds (50%, 75%, and 90%).
XSCF> setaudit -m yyyy@example.com -p count -t 50,75,90
  1. Execute the showaudit command, and confirm the settings.
XSCF> showaudit all
Auditing: enabled
Audit space used: 13713 (bytes)
Audit space free: 4180591 (bytes)
Records dropped: 0
Policy on full trail: count
User global policy: enabled
Mail: yyyy@example.com
Thresholds: 50% 75% 90%
User policy:
Events:
AEV_AUDIT_START enabled
AEV_AUDIT_STOP enabled
:
AEV_LOGIN_BUI enabled
AEV_LOGIN_CONSOLE enabled
AEV_LOGIN_SSH enabled
AEV_LOGIN_TELNET enabled
AEV_LOGOUT enabled
AEV_AUTHENTICATE enabled
:
AEV_version enabled
:
With -p count specified, new audit record data is discarded (dropped) when the audit log reaches full capacity, and the number of times that records are dropped is counted (drop count).
Note - When an audit log reaches full capacity, only the default audit policy "count," which discards audit records, is currently supported. Therefore, do not specify "suspend."
If the audit log amount exceeds the threshold, a warning message appears on the console. If a warning destination e-mail address is specified, a warning can also be sent in a secure format.
The following example shows a warning message.
WARNING: audit trail is 91% full