show accounting log
Syntax
show accounting log [last <QTY-TO-SHOW> | all]
Description
This
show accounting log
command replaces the
show audit-log
command that is supported only in 10.00 releases.
Command context
Manager (#
)
Command context
Manager (#
) or Auditor (auditor>
)
Parameters
last <QTY-TO-SHOW>
Specifies how many most-recent accounting log records to show for the current boot. Range: 1 to 1000.
all
Selects for showing, all accounting records from the current boot and the previous boot.
Authority
Administrators or Auditors.
Usage
The log message starts with the record type, which is specific to ArubaOS-CX. Values are the following:
USER_START
Record of a user login action.
USER_END
Record of a user logout action.
USYS_CONFIG
Record of a command executed by the user.
msg=
element starting with the
rec=
item as follows:
Exec is identified with:
msg='rec=ACCT_EXEC
Command is identified with:
msg='rec=ACCT_CMD
System is identified with:
msg='rec=ACCT_SYSTEM
The user group is indicated by
priv-lvl
, which is specific to ArubaOS-CX. Values are the following:
Privilege level | User group |
---|---|
1 |
|
15 |
|
19 |
|
The value of
service
indicates which user interface was used:
service=shell
Indicates that the log entry is a result of a CLI command.
service=https-server
Indicates that the log entry is a result of a REST API request or a Web UI action.
The string value of
data
identifies the CLI command or REST API request that was executed.
These elements are shown in context under Examples.
Examples
Showing the accounting log for the previous and current boot. Line breaks have been added for readability.
switch# show accounting log all --------------------------------------------------------------------------------- Local accounting logs from previous boot --------------------------------------------------------------------------------- ---- type=DAEMON_START msg=audit(Nov 05 2018 23:00:58.607:9057) : auditd start, ver=2.4.3 format=raw kernel=4.9.119-yocto-standard res=success ---- type=USER_START msg=audit(Nov 05 2018 23:06:42.398:42) : msg='rec=ACCT_EXEC op=start session=CONSOLE timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no hostname=8xxx addr=0.0.0.0 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:06:42.399:43) : msg='rec=ACCT_CMD op=stop session=CONSOLE timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no data="enable" hostname=8xxx addr=0.0.0.0 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:08:24.693:51) : msg='rec=ACCT_CMD op=stop session=CONSOLE timezone=UTC user=user1 priv-lvl=1 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no data="configure terminal" hostname=8xxx addr=0.0.0.0 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:08:39.108:52) : msg='rec=ACCT_CMD op=stop session=CONSOLE timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=yes data="https-server rest access-mode read-write" hostname=8xxx addr=0.0.0.0 res=success' ---- type=USER_START msg=audit(Nov 05 2018 23:10:57.238:58) : msg='rec=ACCT_EXEC op=start session=REST timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=POST http-uri=/rest/v1/login" hostname=8xxx addr=127.0.0.1 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:15:11.958:75) : msg='rec=ACCT_CMD op=stop session=CONSOLE timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=yes data="tacacs-server host 2.2.2.2" hostname=8xxx addr=0.0.0.0 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:15:37.090:76) : msg='rec=ACCT_CMD op=stop session=REST timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=GET http-uri=/rest/v1/system/vrfs/mgmt/tacacs_servers" hostname=8xxx addr=127.0.0.1 res=success' ---- type=USER_END msg=audit(Nov 05 2018 23:26:59.207:90) : msg='rec=ACCT_EXEC op=stop session=REST timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=POST http-uri=/rest/v1/logout" hostname=8xxx addr=127.0.0.1 res=success' ---- type=USER_END msg=audit(Nov 05 2018 23:27:49.164:93) : msg='rec=ACCT_EXEC op=stop session=CONSOLE timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no hostname=8xxx addr=0.0.0.0 res=success' --------------------------------------------------------------------------------- Local accounting logs from current boot --------------------------------------------------------------------------------- ---- type=DAEMON_START msg=audit(Nov 05 2018 23:32:05.642:626) : auditd start, ver=2.4.3 format=raw kernel=4.9.119-yocto-standard res=success ---- type=USER_START msg=audit(Nov 05 2018 23:35:52.915:11) : msg='rec=ACCT_EXEC op=start session=CONSOLE timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no hostname=8xxx addr=0.0.0.0 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:35:52.917:12) : msg='rec=ACCT_CMD op=stop session=CONSOLE timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell isconfig=no data="enable" hostname=8xxx addr=0.0.0.0 res=success'