Fabric Interconnect Audit Logs

Overview

Fabric Interconnect Audit Logs leverages the Linux Audit Framework and Audit Daemon (auditd) for detailed tracking of system activities and events on Fabric Interconnects. This capability enables administrators to configure logging severity and implement either comprehensive or selective monitoring of system events. By systematically recording these activities, the feature strengthens the security posture and facilitates compliance through detailed operational analysis.

With UCS Manager functioning as a Linux Container (LXC), it is necessary to enable the LXC Containers rule in order to record activities specific to the UCS Manager environment.

The Fabric Interconnect Audit Log option is supported on Cisco UCS 6400, 6500, and 6600 Series Fabric Interconnects (not supported on X-Series Direct (UCSX-S9108-100G)).

Configuring the Fabric Interconnect Audit Logs

You can configure the Fabric Interconnect Audit Logs to enable or disable audit logging, set the desired severity level for log entries, and specify which activities to monitor.


Note

Before configuring Fabric Interconnect Audit Logs, ensure that Syslog is enabled in UCS Manager so logs can be collected and viewed. Also, ensure that the severity level for both Syslog and Fabric Interconnect Audit Logs is set to Information or Debugging to view the logs. If you plan to send logs to an external server, configure the remote Syslog server accordingly.

Procedure

Step 1

In the Navigation pane, click Admin.

Step 2

Expand All > Faults, Events, and Audit Log.

Step 3

In the work pane, click the Fabric Interconnect Audit Logs tab.

Step 4

In the Admin State field, select one of the following options:

  • Enabled: Activates the audit logging service on the Fabric Interconnects.

  • Disabled(default): Deactivates the audit logging service on the Fabric Interconnects. When this setting is selected, all individual monitor properties are automatically disabled.

Step 5

In the Severity drop-down list, select the minimum severity level for the events to be recorded in the audit log. The system records all events at the selected level and those with a higher severity. This helps prioritize and filter audit log entries based on their importance. The available options are:

  • Emergencies (most critical events)

  • Alerts

  • Critical (UCSM Critical)

  • Errors (UCSM Major)

  • Warnings (UCSM Minor)

  • Notifications (UCSM Warning). This is the default option.

  • Information

  • Debugging

Step 6

In the Monitor section, use this option to configure granular monitoring for specific system and user activities. For each rule, select Enabled to activate its monitoring or Disabled to exclude it, allowing you to tailor which specific aspects are audited for enhanced security and compliance.

  • All the rules—Enables monitoring for all available audit rules on the Fabric Interconnect.

    Note

     

    When All the rules setting is enabled:

    • All other individual audit rule monitor settings are automatically disabled and all rules are monitored to ensure a clean configuration.

    • Some Docker audit rules that are not visible or configurable in UCS Manager may still be applied internally. These rules do not cause errors and are included to ensure complete audit coverage.

  • Authlog Files—Monitors authentication-related events and changes recorded in authorization log files.

  • Cron Files—Tracks activities related to scheduled tasks and cron job executions.

  • DNS Client Files—Monitors operations and changes concerning DNS client configurations and queries.

  • Kernel Module Management—Audits actions involving the loading, unloading, or modification of kernel modules.

  • LXC Containers—Enables auditing for all operations performed within Linux containers. Since UCS Manager runs as the LXC container, enabling this rule is essential for monitoring the UCS Manager environment and capturing any critical events.

  • Process Audit—Monitors the creation, execution, and termination of processes.

  • System Log Files—Records general system messages and events written to system log files.

  • System Login And Reboot—Monitors user login attempts, successful logins, logouts, and system reboot events.

  • System Software—Tracks changes, updates, or installations related to system software components.

  • System Time Change—Audits any modifications made to the system's date and time settings.

  • User Group Config Files—Monitors changes to files that define user groups and their configurations.

  • User Privilege Management—Tracks activities and changes related to user roles, privileges, and access control settings.

Step 7

Click Save Changes to save the configuration.

Viewing and Managing Fabric Interconnect Audit Log Configuration

You can view and manage the configuration settings for Fabric Interconnect Audit Logs page.

Procedure

Step 1

In the Navigation pane, click Admin.

Step 2

Expand All > Faults, Events, and Audit Log.

Step 3

In the work pane, click the Fabric Interconnect Audit Logs tab.

Step 4

The Work pane displays the configuration settings for Fabric Interconnect Audit Logs. You can view and modify these settings as needed.

Note

 

  • The actual audit log entries are not displayed on this page; only configuration options for Fabric Interconnect Audit Logs are available.

  • If audit log entries are not visible, ensure that Syslog is enabled in UCS Manager. Audit logs are routed through Syslog, and their visibility depends on the configured severity levels. Set the severity level for both Fabric Interconnect Audit Logs and Syslog to Information or Debugging to display detailed log entries. Ensure the severity levels match for proper log visibility.

Disabling the Fabric Interconnect Audit Logs

You can unconfigure the Fabric Interconnect Audit Logs to disable the logging service and revert any customized settings to their default values.

Procedure

Step 1

In the Navigation pane, click Admin.

Step 2

Expand All > Faults, Events, and Audit Log.

Step 3

In the work pane, click the Fabric Interconnect Audit Logs tab.

Step 4

In the Admin State field, select Disabled. This action deactivates the service and automatically resets all Monitor properties to a disabled state.

Step 5

Click Save Changes to confirm the changes and unconfigure the audit logs.