Implementing Audit Monitoring

This chapter explains the audit monitoring and logging capabilities available on Cisco 8000 Series routers and how to configure audit monitoring.

Audit monitoring

Audit monitoring is a security and compliance feature that

  • integrates with the Linux audit daemon to monitor system events as defined by audit rules

  • writes logs in local log files to record changes in the monitored resources, and

  • allows forwarding of audit logs to a remote syslog server.

Linux audit daemon is a user-space component of the Linux auditing system that

  • tracks and logs system calls, file accesses, user actions, and other events as specified by audit rules, and

  • provides administrators with insights to detect suspicious behavior and maintain system integrity.

An audit rule is a router configuration that

  • specifies which files, directories, or system events should be monitored, and

  • can be activated on the router by enabling their respective audit rule-groups.

An audit rule-group is a collection of predefined audit rules that

  • can be enabled or disabled together as a single unit, and

  • allows monitoring specific categories of system events, files, or directories, such as changes in user group configuration files, DNS client files, or XR software

Table 1. Feature History Table

Feature name

Release information

Feature description

Implementing audit monitoring

Release 25.3.1

Introduced in this release on: Fixed Systems (8200 [ASIC: Q100, Q200, P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]); Centralized Systems (8600 [ASIC:Q200]) ; Modular Systems (8800 [LC ASIC: Q100, Q200, P100])

You can enhance your router’s security and compliance by enabling audit monitoring. This feature lets you configure predefined rules that enable the router to monitor, log, and optionally forward audit logs to a remote syslog server for centralized analysis and incident response.

The feature introduces these changes:

CLI:

Audit logs for security monitoring

Network administrators enable audit rule-groups to track changes to sensitive files, monitor system calls, and observe other critical activities.

Audit rules establish what to watch, while audit logs capture and document every relevant occurrence, ensuring a complete and actionable history of system activity.

For example, an audit rule that monitors changes to /etc/passwd file creates an audit log entry each time this file is modified.

How audit monitoring works

Summary

These are the key components involved in this feature:

  • Network Administrator: The user who initiates configurations via CLI.

  • Linux audit daemon : The process that monitors system activity according to the installed rules and writes audit event logs.

  • Local rsyslog daemon: The process that forwards logs to a remote syslog server.

  • Remote syslog server: The external server that maintains the logs generated by the router.

The Linux audit daemon is the core service that actually performs audit monitoring and logging, based on the audit rules configured by the network administrator. It operates at the operating system level on each node, such as line cards and route processors.

Workflow

These stages describe how audit monitoring and logging works.

  1. The network administrator enables audit monitoring via CLI.
  2. The router software receives the configurations, applies the relevant audit rules, and ensures these rules are distributed to all appropriate nodes.
  3. On each node, the Linux audit daemon actively monitors system events as defined by the audit rules and writes the logs to a local log file at /var/log/audit/audit.log .
  4. If the network administrator has enabled log forwarding, the audit logs are sent to the local rsyslog daemon, which then forwards the logs to a remote syslog server.

Guidelines for audit monitoring

Granularity of audit rules

  • You can enable or disable audit rules only at the group level, not individually within a group.

  • Regularly review the status of audit rules and audit log forwarding to ensure monitoring remains effective.

Security of audit logs and syslog servers

  • Allow only users with appropriate administrative privileges to configure or view Linux security audit settings.

  • Protect access to audit logs and syslog servers to prevent unauthorized access or tampering.

Log forwarding to remote syslog servers

  • Confirm that the remote syslog server is reachable and properly configured before enabling log forwarding.

  • The router does not support Transport Layer Security (TLS) for forwarding audit logs. It forwards audit logs to remote syslog servers using User Datagram Protocol (UDP). Use only trusted network segments for remote syslog servers.

Notes about audit log storage

  • The router stores audit logs locally at /var/log/audit/audit.log , unless you enable log forwarding.

  • By default, the system rotates up to five audit log files, each up to 8 MB in size.

Configure audit monitoring

Follow this procedure to configure audit monitoring for specific system events by enabling the relevant audit rule groups.

Procedure

Step 1

Execute the linux security audit monitor <group-keyword> command, to enable a group of audit rules.

Example:

Router# conf t
Router(config)# linux security audit monitor xr-software
Router(config)# linux security audit monitor user-group-config-files
Router(config)# commit

Step 2

Run the show linux security audit monitor status command, to verify the general status of all active audit rule groups.

Example:

Router# show linux security audit monitor status
key name: xr-software                status: enabled
rules:
-a always,exit -F arch=b64 -F dir=/pkg/bin -F perm=wa -k xr_bin_changes
-a always,exit -F arch=b64 -F dir=/pkg/sbin -F perm=wa -k xr_sbin_changes
-a always,exit -F arch=b64 -F dir=/pkg/lib -F perm=wa -k xr_lib_changes
--------------------------------------------------------------
key name: user-group-config-files    status: enabled
rules:
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -k passwd_changes
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -k shadow_changes
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -k group_changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -k sudoers_changes
--------------------------------------------------------------

Step 3

(Optional) Execute the linux security audit logging syslog command, to enable forwarding of audit logs.

Example:

Router# conf t
Router(config)# linux security audit logging syslog
Router(config)# commit

Step 4

(Optional) Execute the logging remote-server-ip vrf vrf-name command, to configure the remote syslog server.

Example:

Router# conf t
Router(config)# logging 10.0.1.2 vrf default port 514
Router(config)# commit

Step 5

(Optional) Run the show linux security audit logging syslog command, to verify whether audit log forwarding is enabled and to view the configured remote syslog server.

Example:

Router# show linux security audit logging syslog
status: enabled
syslog-server(s):
ipaddr: 10.0.1.2 vrf: default port: 514
ipaddr: 2001:db8::1 vrf: default port: 514