10-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 10 Managing the Security Manager Server
Working with Audit Reports
Purging Audit Log Entries
Security Manager automatically prunes the audit logs based on the age of the log entries. You do not
need to actively manage the size of the log. However, you can change the defaults to increase or decrease
the maximum size of the log and thus manage the overall size of the database.
To change the default settings for audit logs, select Tools > Security Manager Administration and
select Logs from the table of contents (see Logs Page, page 11-44). The size of the log is controlled by
the maximum number of days an entry can be, and the overall maximum number of entries that can be
in the log. These settings work together, and entries are pruned on a periodic basis to keep the log to the
maximum number of entries with none that are older than the maximum number of days. If you reduce
the maximum size of the log, click Purge Now to delete the excess entries before the regular pruning
cycle.
Note The Purge Now button only removes audit report entries from the database. It does not remove the *.csv
files from the <install_dir>\CSCOpx\MDC\log\audit folder. These *.csv files can be deleted directly.
You can also control the size of the log by changing the severity level of events that are captured in the
log. For example, if you capture only Severe events, the log will probably remain small. However,
reducing the level of information might reduce the value of the log.
Audit Report (Right Pane)
The right side of the Audit Report window contains the audit report. Each row represents one audit
entry. Double-click a row to open the Audit Message Details dialog box, where you can view a more
readable layout of the information and to see the specific messages associated with the entry. You can
scroll through the entries in the report from within the Audit Message Details dialog box.
Message Level The message warning level: Information, Warning, Success, Failure
and Internal System Error.
Date The date and time the action occurred.
Source The origin of the audit entry: Objects, License, Admin, Firewall, Policy
Manager, Devices, Topology, VPN, Config Archive, Deployment,
System, and Activity.
Action The action performed: Add, Assign, Create, Delete, Open, Purge,
Unassign, and Update.
Object The identifier of the object of the action. For example, if the category
is device, then the object identifier could be the device name or IP
address. If the category is deployment, then the object identifier could
be job name, job ID, and so on. There frequently is no specific object
name.
User Name The username of the person performing the action.
Activity The name of the activity in which the action occurred, if any.
# of rows per page The number of rows to display on each page.
< arrow Click this button to return to the previous page of the audit report.
> arrow C lick this button to advance to the next page of the audit report.
Table10-1 Audit Report Window (Continued)
Element Description