Configure audit logging

Updated: June 17, 2026

Want to summarize with AI?

Use this procedure to configure audit logging. It supports audit logging and monitoring by outlining the required actions, inputs, or verification points for the activity.

Follow this task to configure and monitor audit logs for specific system events by enabling the relevant audit rule groups.

This task supports Cisco NCS 1010 setup, deployment, upgrade, or maintenance workflows.

Before you begin

Follow these steps to configure audit logging.

Procedure

	1.	Run the linux security audit monitor <group-keyword> command to enable a group of audit rules. Example: `RP/0/RP0/CPU0:ios# configure RP/0/RP0/CPU0:ios(config)# linux security audit monitor xr-software RP/0/RP0/CPU0:ios(config)# linux security audit monitor user-group-config-files RP/0/RP0/CPU0:ios(config)# commit`
	2.	Run the show linux security audit monitor status command, to verify the general status of all active audit rule groups. Example: RP/0/RP0/CPU0:ios# show linux security audit monitor status Wed Aug 20 16:16:23.518 IST key name: xr-software status: enabled rules: -a always,exit -F arch=b64 -F dir=/pkg/bin -F perm=wa -k xr_bin_changes -a always,exit -F arch=b64 -F dir=/pkg/sbin -F perm=wa -k xr_sbin_changes -a always,exit -F arch=b64 -F dir=/pkg/lib -F perm=wa -k xr_lib_changes -------------------------------------------------------------- key name: user-group-config-files status: enabled rules: -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -k passwd_changes -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -k shadow_changes -a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -k group_changes -a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -k sudoers_changes --------------------------------------------------------------
	3.	(Optional) Run the linux security audit logging syslog command to enable forwarding of audit rules. Example: `RP/0/RP0/CPU0:ios# configure RP/0/RP0/CPU0:ios(config)# linux security audit logging syslog RP/0/RP0/CPU0:ios(config)# commit`
	4.	(Optional) Run the logging remote-server-ip vrf vrf-name command to configure the remote syslog server. Example: `RP/0/RP0/CPU0:ios# configure RP/0/RP0/CPU0:ios(config)# logging 10.0.1.2 vrf default severity info port default facility local6 RP/0/RP0/CPU0:ios(config)# commit`
	5.	(Optional) Run the show linux security audit logging syslog command, to verify whether audit log forwarding is enabled and to view the configured remote syslog server. Example: `RP/0/RP0/CPU0:ios# show linux security audit logging syslog Wed Aug 20 16:16:44.553 IST status: enabled syslog-server(s): ipaddr: 10.0.1.2 vrf: vrf-default port: 514 ipaddr: 10.0.1.9 vrf: vrf-default port: 514`

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configure audit logging

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example: