Fabric Interconnect Audit Logs

Overview

Fabric Interconnect Audit Logs leverages the Linux Audit Framework and Audit Daemon (auditd) for detailed tracking of system activities and events on Fabric Interconnects. This capability enables administrators to configure logging severity and implement either comprehensive or selective monitoring of system events. By systematically recording these activities, the feature strengthens the security posture and facilitates compliance through detailed operational analysis.

With UCS Manager functioning as a Linux Container (LXC), it is necessary to enable the LXC Containers rule in order to record activities specific to the UCS Manager environment.

The Fabric Interconnect Audit Log option is supported on Cisco UCS 6400, 6500, and 6600 Series Fabric Interconnects (not supported on X-Series Direct (UCSX-S9108-100G)).

Configuring Fabric Interconnect Audit Logs

You can configure the Fabric Interconnect Audit Logs to enable audit logging and set the desired severity level for log entries.

Note

Before configuring Fabric Interconnect Audit Logs, ensure that Syslog is enabled in UCS Manager so logs can be collected and viewed. Also, ensure that the severity level for both Syslog and Fabric Interconnect Audit Logs is set to Information or Debugging to view the logs. If you plan to send logs to an external server, configure the remote Syslog server accordingly.

Procedure

	Command or Action	Purpose
Step 1	UCS-FI-A# scope monitoring	Enters monitoring mode.
Step 2	UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs	Enters the Fabric Interconnect Audit Logs scope.
Step 3	UCS-FI-A /monitoring/fabric-interconnect-audit-logs # enable / disable	`enable`—Activates the Fabric Interconnect Audit Logs feature, enabling the audit logging service on the Fabric Interconnects. This allows monitoring and recording of user and system activities for security and compliance purposes. `disble`—Deactivates the Fabric Interconnect Audit Logs feature, stopping the audit logging service on the Fabric Interconnects. When disabled, all individual monitor properties are automatically turned off, and any customized settings revert to their defaults. Deactivates the audit logging service on the Fabric Interconnects. When this setting is selected, all individual monitor properties are automatically disabled.
Step 4	UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # set level debugging	This command sets the audit log level to `debugging`.
Step 5	UCS-FI-A /monitoring/fabric-interconnect-audit-logs # scope monitor	This command enters the sub-scope for configuring individual monitoring rules.
Step 6	UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor # show details	This command displays the current status of all individual monitoring rules.
Step 7	UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor # enable `all-the-rules`	This command enables `all-the-rules` for all available log types simultaneously. Alternatively, you may enable individual log types, such as user-group-config-files or user-privilege-management, as needed based on your specific requirements.
Step 8	UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # commit bufffer	This command applies the pending configuration changes.

Example

Example 1: Enabling All The Rules for Fabric Interconnect Audit Logs

This example shows how to enable the main audit logging feature, set its severity, and then enable the overarching all-the-rules option within the monitor scope. The following example shows how to configure the Fabric Interconnect Audit Logs:

UCS-FI-A# scope monitoring
UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs
UCS-FI-A /monitoring/fabric-interconnect-audit-logs # enable
UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # set level debugging
UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # scope monitor
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # show detail

Monitor:
    All The Rules: Disabled
    LXC Containers: Disabled
    User Group Config Files: Disabled
    DNS Client Files: Enabled
    Authlog Files: Enabled
    System Time Change: Disabled
    System Login And Reboot: Disabled
    Cron Files: Disabled
    Kernel Module Management: Disabled
    System Software: Disabled
    Process Audit: Disabled
    User Privilege Management: Disabled
    System Log Files: Disabled

UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # enable all-the-rules
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # commit-buffer

UCS-FI-A /monitoring/fabric-interconnect-audit-logs # show

Fabric Interconnect Audit Logs:
    Admin State    Severity
    ---------------------------------------
    Enabled        Debugging

UCS-FI-A /monitoring/fabric-interconnect-audit-logs # show detail expand

Fabric Interconnect Audit Logs:
    Admin State: Enabled
    Severity: Debugging

    Monitor:
        All The Rules: Enabled
        LXC Containers: Disabled
        User Group Config Files: Disabled
        DNS Client Files: Disabled
        Authlog Files: Disabled
        System Time Change: Disabled
        System Login And Reboot: Disabled
        Cron Files: Disabled
        Kernel Module Management: Disabled
        System Software: Disabled
        Process Audit: Disabled
        User Privilege Management: Disabled
        System Log Files: Disabled

Example 2: Selective Enablement of Specific Fabric Interconnect Audit Rules

This example demonstrates how to enable the audit log for the fabric interconnect, set its severity, and then selectively enable only user-group-config-files and user-privilege-management within the monitor scope.

UCS-FI-A# scope monitoring
UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs
UCS-FI-A /monitoring/fabric-interconnect-audit-logs # enable
UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # set level debugging
UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # scope monitor
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # show detail

Monitor:
    All The Rules: Disabled
    LXC Containers: Disabled
    User Group Config Files: Disabled
    DNS Client Files: Enabled
    Authlog Files: Enabled
    System Time Change: Disabled
    System Login And Reboot: Disabled
    Cron Files: Disabled
    Kernel Module Management: Disabled
    System Software: Disabled
    Process Audit: Disabled
    User Privilege Management: Disabled
    System Log Files: Disabled

UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # enable user-group-config-files
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # enable user-privilege-management
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor* # commit-buffer

UCS-FI-A /monitoring/fabric-interconnect-audit-logs # show

Fabric Interconnect Audit Logs:
    Admin State    Severity
    ---------------------------------------
    Enabled        Debugging

Fireball-CRR-A /monitoring/fabric-interconnect-audit-logs # show detail expand

Fabric Interconnect Audit Logs:
    Admin State: Enabled
    Severity: Debugging

    Monitor:
        All The Rules: Disabled
        LXC Containers: Disabled
        User Group Config Files: Enabled
        DNS Client Files: Enabled
        Authlog Files: Enabled
        System Time Change: Disabled
        System Login And Reboot: Disabled
        Cron Files: Disabled
        Kernel Module Management: Disabled
        System Software: Disabled
        Process Audit: Disabled
        User Privilege Management: Enabled
        System Log Files: Disabled

Note

When all-the-rules monitoring rule is enabled:

All other individual monitor settings are automatically disabled and all rules are monitored to ensure a clean configuration.
Some Docker audit rules that are not visible or configurable in UCS Manager may still be applied internally. These rules do not cause errors and are included to ensure complete audit coverage.

Viewing Fabric Interconnect Audit Logs

You can view the configuration and status of Fabric Interconnect Audit Logs using the UCS Manager CLI. This section describes how to access and view audit log settings for fabric interconnects.

Procedure

Command or Action

Purpose

Step 1

UCS-FI-A# scope monitoring

Enters monitoring mode.

Step 2

UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs

Enters the Fabric Interconnect Audit Logs scope.

Step 3

UCS-FI-A /monitoring/fabric-interconnect-audit-logs # show or show detail

This command displays the Fabric Interconnect audit logs staate and other relevant configuration details.

Note

If you have configured Fabric Interconnect Audit Logs but do not see any entries in the logs, verify that Syslog is enabled in UCS Manager, as audit logs are routed through Syslog. Also, ensure that the severity levels for both Fabric Interconnect Audit Logs and Syslog match and are set to Information or Debugging to display detailed logs.

Example

Example 1: Viewing Overall Configuration

The following example shows how to view the configuration of Fabric Interconnect Audit Logs:

UCSM-HH-22-106-A # scope monitoring
UCSM-HH-22-106-A /monitoring # scope fabric-interconnect-audit-logs
UCSM-HH-22-106-A /monitoring/fabric-interconnect-audit-logs # show

Fabric Interconnect Audit Logs:
Admin State    Severity 
-------------------------------------------
Enabled        Debugging
UCSM-DEV-HH-22-106-A /monitoring/fabric-interconnect-audit-logs #

Example 2: Viewing Individual Monitoring Rule States

The following example illustrates how to use the show detail expand command to view the current state of individual Fabric Interconnect Audit Log monitoring rules:

UCS-FI-A# scope monitoring
UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs
UCS-FI-A /monitoring/fabric-interconnect-audit-logs # scope monitor
UCS-FI-A /monitoring/fabric-interconnect-audit-logs/monitor # show detail

    Monitor:
        All The Rules: Disabled
        LXC Containers: Enabled
        User Group Config Files: Disabled
        DNS Client Files: Disabled
        Authlog Files: Disabled
        System Time Change: Enabled
        System Login And Reboot: Disabled
        Cron Files: Enabled
        Kernel Module Management: Disabled
        System Software: Disabled
        Process Audit: Enabled
        User Privilege Management: Enabled
        System Log Files: Enabled

This example provides a detailed list of all configurable audit log categories with User Group Config Files, DNS Client Files, Authlog Files enabled and indicates whether each is currently Enabled or Disabled for logging.

Disabling Fabric Interconnect Audit Logs

Procedure

	Command or Action	Purpose
Step 1	UCS-FI-A# scope monitoring	Enters monitoring mode.
Step 2	UCS-FI-A /monitoring # scope fabric-interconnect-audit-logs	Enters the Fabric Interconnect Audit Logs scope.
Step 3	UCS-FI-A /monitoring/fabric-interconnect-audit-logs # disable	This command disables the Fabric Interconnect Audit Logs feature.
Step 4	UCS-FI-A /monitoring/fabric-interconnect-audit-logs* # commit bufffer	This command applies the configuration changes.

Example

The following example demonstrates the disabled the fabric interconnect audit logs:

UCSM-HH-22-106-A /monitoring/fabric-interconnect-audit-logs # disable
UCSM-HH-22-106-A /monitoring/fabric-interconnect-audit-logs* # commit-buffer
UCSM-HH-22-106-A /monitoring/fabric-interconnect-audit-logs # show

Fabric Interconnect Audit Logs:
    Admin State     Severity
    ---------------------------------------
    Disabled        Debugging

Cisco UCS Manager System Monitoring Guide Using the CLI, Release 6.0

Bias-Free Language

Book Title