show accounting log
Syntax
show accounting log [last <QTY-TO-SHOW> | all]Description
This
show accounting log command replaces the
show audit-log command that is supported only in 10.00 releases.
Command context
Manager (#)
Parameters
last <QTY-TO-SHOW>Specifies how many most-recent accounting log records to show for the current boot. Range: 1 to 1000.
allSelects for showing, all accounting records from the current boot and the previous boot.
Authority
Administrators or Auditors.
Usage
The log message starts with the record type, which is specific to ArubaOS-CX. Values are the following:
USER_STARTRecord of a user login action.
USER_STOPRecord of a user logout action.
USYS_CONFIGRecord of a command executed by the user.
msg= element starting with the
rec= item as follows:
Exec is identified with:
msg='rec=ACCT_EXECCommand is identified with:
msg='rec=ACCT_CMDSystem is identified with:
msg='rec=ACCT_SYSTEM
The user group is indicated by
priv-lvl, which is specific to ArubaOS-CX. Values are the following:
| Privilege level | User group |
|---|---|
1 |
|
15 |
|
19 |
|
The value of
service indicates which user interface was used:
service=shellIndicates that the log entry is a result of a CLI command.
service=https-serverIndicates that the log entry is a result of a REST API request or a Web UI action.
The string value of
data identifies the CLI command or REST API request that was executed.
These elements are shown in context under Examples.
Examples
Showing the accounting log for the last nine records. Line breaks have been added for readability.
switch# show accounting log last 9 type=USER_START msg=audit(Nov 05 2018 23:06:42.398:42) : msg='rec=ACCT_EXEC op=start timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell hostname=8320 addr=192.0.2.5 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:06:42.399:43) : msg='rec=ACCT_CMD op=stop timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell data="enable" hostname=8320 addr=192.0.2.5 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:08:24.693:51) : msg='rec=ACCT_CMD op=stop timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell data="configure terminal" hostname=8320 addr=192.0.2.5 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:08:39.108:52) : msg='rec=ACCT_CMD op=stop timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell data="https-server rest access-mode read-write" hostname=8320 addr=192.0.2.5 res=success' ---- type=USER_START msg=audit(Nov 05 2018 23:10:57.238:58) : msg='rec=ACCT_EXEC op=start timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=POST http-uri=/rest/v1/login" hostname=8320 addr=192.0.2.5 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:15:11.958:75) : msg='rec=ACCT_CMD op=stop timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell data="tacacs-server host 2.2.2.2" hostname=8320 addr=192.0.2.5 res=success' ---- type=USYS_CONFIG msg=audit(Nov 05 2018 23:15:37.090:76) : msg='rec=ACCT_CMD op=stop timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=GET http-uri=/rest/v1/system/vrfs/mgmt/tacacs_servers" hostname=8320 addr=192.0.2.5 res=success' ---- type=USER_END msg=audit(Nov 05 2018 23:26:59.207:90) : msg='rec=ACCT_EXEC op=stop timezone=UTC user=admin priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=https-server data="http-method=POST http-uri=/rest/v1/logout" hostname=8320 addr=192.0.2.5 res=success' ---- type=USER_END msg=audit(Nov 05 2018 23:27:49.164:93) : msg='rec=ACCT_EXEC op=stop timezone=UTC user=user1 priv-lvl=15 auth-method=LOCAL auth-type=LOCAL service=shell hostname=8320 addr=192.0.2.5 res=success'