Implementing Audit Monitoring

TThis chapter explains the audit monitoring and logging capabilities available on NCS 1010 and how to configure audit monitoring.

Feature name

Release information

Description

Audit logging and monitoring

Cisco IOS XR 25.3.1

You can enable audit logging and monitoring on the NCS 1010. You can also configure predefined rule groups that allow NCS 1010 to monitor activities, log events, and, when necessary, forward audit logs to a remote syslog server for centralized analysis and incident response. This feature helps enhance security and compliance on your network.

CLI:

These new commands are introduced:

  • linux security audit monitor group-keyword

  • show linux security audit monitor status

  • linux security audit logging syslog

  • logging remote-server-ipvrfremote-server-ip

  • show linux security audit logging syslog

Audit logging

Audit logging is a security and compliance feature that

  • operates according to defined audit rules automatically creating audit logs whenever specified actions or changes occur on the router

  • integrates with the Linux Audit Daemon to monitor and log relevant security events across the router, and

  • allows forwarding of audit logs to a remote syslog server.

Linux audit daemon is a user-space component of the Linux auditing system that

  • tracks and logs system calls, file accesses, user actions, and other events as specified by audit rules, and

  • provides administrators with insights to detect suspicious behavior and maintain system integrity.

An audit rule is a configuration that

  • specifies which files, directories, or system events should be monitored

  • determines the conditions for monitoring, and

  • forms the foundation of an audit logging system.

An Audit log is a chronological record that

  • is automatically generated when a monitored event, as defined by an audit rule, occurs, and

  • typically includes details such as the event type, timestamp, user or process involved, and affected resources.

Audit rules and audit logs for security monitoring

Administrators define audit rules to track changes to sensitive files, monitor system calls, and observe other critical activities. By customizing audit rules, organizations can align monitoring with their unique security and compliance requirements.

Audit rules establish what to watch, while audit logs capture and document every relevant occurrence, ensuring a complete and actionable history of system activity.

For example, an audit rule that monitors changes to /etc/passwd file creates an audit log entry each time this file is modified.

Audit logging is not to be confused with system logging. While audit logging records security-relevant events, such as user actions and changes to sensitive files, system logging (syslog) captures general system events like service status updates, routine errors, or informational messages.

How audit logging works

Summary

These are the key components involved in this feature:

  • Network Administrator: The user who initiates configurations via CLI.

  • Linux audit daemon : The process that monitors system activity according to the installed rules and writes audit event logs.

  • Local rsyslog daemon: The process that forwards logs to a remote syslog server.

  • Remote syslog server: The external server that maintains the logs generated by the router.

The Linux audit daemon is the core service that actually performs event monitoring and logging, based on the audit rules configured by the administrator. It operates at the operating system level on each node, such as line cards and processors.

Workflow

These stages describe how audit monitoring and logging works.

  1. The network administrator enables audit monitoring via CLI.
  2. The router software receives the configurations, applies the relevant audit rules, and ensures these rules are distributed to all appropriate nodes.
  3. On each node, the Linux audit daemon actively monitors system events as defined by the audit rules and writes the logs to a local log file at /var/log/audit/audit.log.
  4. If the network administrator has enabled log forwarding, the audit logs are sent to the local rsyslog daemon, which then forwards the logs to a remote syslog server.

Guidelines for audit logging

Granularity of audit rules

  • You can enable or disable audit rules only at the group level, not individually within a group.

  • Regularly review the status of audit rules and audit log forwarding to ensure monitoring remains effective.

Resource usage on NCS 1010

Use caution when enabling all rule groups, especially those that monitor frequent events, as this may increase CPU, memory, or disk usage. Enable only the groups required for compliance or security needs.

Security of audit logs and syslog servers

  • Allow only users with appropriate administrative privileges to configure or view Linux security audit settings.

  • Protect access to audit logs and syslog servers to prevent unauthorized access or tampering.

Log forwarding to remote syslog servers

  • Confirm that the remote syslog server is reachable and properly configured before enabling log forwarding.

  • NCS 1010 forwards audit logs to remote syslog servers in unencrypted plain text. Use only trusted network segments for remote syslog servers.

Notes about audit log storage

  • NCS 1010 stores audit logs locally at /var/log/audit/audit.log , unless you enable log forwarding.

  • By default, the system rotates up to five audit log files, each up to 8 MB in size.

Configure audit logging

Follow this task to configure and monitor audit logs for specific system events by enabling the relevant audit rule groups.

Procedure

Step 1

Execute the linux security audit monitor <group-keyword> command, to enable a group of audit rules.

Example:

RP/0/RP0/CPU0:ios# configure
RP/0/RP0/CPU0:ios(config)# linux security audit monitor xr-software
RP/0/RP0/CPU0:ios(config)# linux security audit monitor user-group-config-files
RP/0/RP0/CPU0:ios(config)# commit

Step 2

Run the show linux security audit monitor status command, to verify the general status of all active audit rule groups.

Example:

RP/0/RP0/CPU0:ios# show linux security audit monitor status
Wed Aug 20 16:16:23.518 IST
key name: xr-software                  status: enabled             
rules:
-a always,exit -F arch=b64 -F dir=/pkg/bin -F perm=wa -k xr_bin_changes
-a always,exit -F arch=b64 -F dir=/pkg/sbin -F perm=wa -k xr_sbin_changes
-a always,exit -F arch=b64 -F dir=/pkg/lib -F perm=wa -k xr_lib_changes
--------------------------------------------------------------
key name: user-group-config-files      status: enabled             
rules:
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -k passwd_changes
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -k shadow_changes
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -k group_changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -k sudoers_changes
--------------------------------------------------------------

Step 3

(Optional) Execute the linux security audit logging syslog command, to enable forwarding of audit rules.

Example:

RP/0/RP0/CPU0:ios# configure
RP/0/RP0/CPU0:ios(config)# linux security audit logging syslog
RP/0/RP0/CPU0:ios(config)# commit

Step 4

(Optional) Execute the logging remote-server-ip vrf vrf-name command, to configure the remote syslog server.

Example:

RP/0/RP0/CPU0:ios# configure
RP/0/RP0/CPU0:ios(config)# logging 10.0.1.2 vrf default severity info port default facility local6
RP/0/RP0/CPU0:ios(config)# commit

Step 5

(Optional) Run the show linux security audit logging syslog command, to verify whether audit log forwarding is enabled and to view the configured remote syslog server.

Example:

RP/0/RP0/CPU0:ios# show linux security audit logging syslog
Wed Aug 20 16:16:44.553 IST
status: enabled             
syslog-server(s):
ipaddr: 10.0.1.2 vrf: vrf-default port: 514
ipaddr: 10.0.1.9 vrf: vrf-default port: 514