Reporting Management User Activities

You can enable the device to log various operations (actions) done by management users in the device's management interfaces (e.g., Web and CLI). The actions are logged in the Activity Log and sent in syslog messages. You can also view these logged user activities in the CLI and Web interface (see Viewing Web User Activity Logs).

The logged actions are indicated in syslog messages with the string "Activity Log":

14:07:46.300 : 10.15.7.95 : Local 0   :NOTICE  : [S=3149] [BID=3aad56:32]  Activity Log: <Message>. User: <User>. Session: <Protocol> (<IP Address>) [Time:dd-mm@hh:mm:ss.sss]

Where:

■

<Message> describes the performed action.

■

<User> is the username of the user (e.g., "Admin") that performed the action.

■

<Protocol> is the protocol that was used to access the management interface (e.g., Web or Telnet).

■

<IP Address> is the IP address of the client PC from where the user accessed the device's management interface.

■

Time is the date and time that the action was performed.

The device can report the following types of user activities:

■

Modifications of individual parameters, for example:

16:19:24.983  10.15.7.96  local0.notice  [S=7] [BID=5b1035:7]  Activity Log: No Answer Timeout [sec] was changed from '600' to '550'. User: Admin. Session: WEB (10.13.2.3) [Time:07-09@16:39:22.736]

■

Modifications of table fields, and addition and deletion of table rows, for example:

16:22:54.287  10.15.7.96  local0.notice  [S=16] [BID=5b1035:7] Activity Log: Classification - remove line 2. User: Admin. Session: HTTP (10.13.2.3) [Time:07-09@16:39:22.736]

16:22:54.287  10.15.7.96  local0.notice  [S=16] [BID=5b1035:7]  Activity Log: Local Users Table row 1 (MyUser) -  'User Level' was changed from 'Administrator' to 'Security Administrator'. User: Admin. Session: WEB (10.13.2.3) [Time:07-09@16:39:22.736]

■

Modifications of parameters due to an incremental ini file upload. If you choose this option, you can also define the maximum number of lines of parameters to log from the ini file, using the 'Incremental INI Activity Logs Max Number' parameter.

■

Entered CLI commands (modifications of security-sensitive commands are logged without the entered value).

■

Configuration file upload (reported without per-parameter notifications).

■

Auxiliary file upload and software update.

■

File download (ini file, CLI Script file and Configuration Package file).

■

Device restart and save to flash memory.

■

Access to unauthorized Web pages according to the Web user's access level.

■

Modifications of "sensitive" parameters.

■

Log in and log out, for example:

16:15:56.946  10.15.7.96  local0.notice  [S=3] [BID=5b1035:7]  Activity Log: WEB: Successful login at 10.15.7.96:80. User: Admin. Session: WEB (10.13.2.3) [Time:07-09@16:39:22.736]

16:16:14.714  10.15.7.96  local0.notice  [S=5] [BID=5b1035:7]  Activity Log: Unauthorized access attempt to Login Page. Reason: bad credentials. User: Admin. Session: WEB (10.13.2.3) [Time:07-09@16:39:22.736]

■

Actions not related to parameter changes (for example, file uploads and downloads, file delete, lock-unlock maintenance actions, LDAP clear cache, register-unregister, and start-stop trunk). In the Web, these actions are typically done by clicking a button (e.g., the LOCK button).

For more information on each of the above listed options, see Syslog, CDR and Debug Parameters.

The following procedure describes how to configure management user activity logging through the Web interface. You can also configure it through ini file [ActivityListToLog] or CLI (configure troubleshoot > activity-log).

➢

To configure reporting of management user activities:

1.

Open the Logging Settings page (Troubleshoot tab > Troubleshoot menu > Logging folder > Logging Settings).

2.

Under the Activity Types to Report group, select the actions to report to the syslog server. To select (or deselect) all activity types, click the 'Select All' check box.

3.

Click Apply.