Enabling CLI Auditing

---

Use the instructions in this topic to enable and disable auditing via the Command Line Interface (CLI) in ExtremeCloud IQ Site Engine. The enable option also adjusts the auditing plugin to send auditing events to the syslog.

To enable the auditd process using the ExtremeCloud IQ Site Engine server CLI:

1. Access the CLI through the ExtremeCloud IQ Site Engine server.
2. Change the auditing rules file to meet the needs of your network:

   1. Navigate to the /etc/audit/audit.rules folder.

   2. Enter the rules to complete the auditing.

   EXAMPLE:

   If you wanted to log every command run via the CLI, you would enter: # Audit all commands from command line -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve

3. Run the /root/scripts/auditctl -e script.
4. Press Enter.
5. Open the /etc/audisp/plugins.d/syslog.conf file.
6. Verify that the active line is set to "active = yes" to ensure the auditing plugin is sending auditing events to the syslog.

To disable the auditing option:

1. Run the /root/scripts/auditctl -d script.
2. Press Enter.
3. Open the /etc/audisp/plugins.d/syslog.conf file.
4. Verify that the active line is set to "active = no" to ensure the auditing plugin is no longer sending auditing events to the syslog.