The audit trail events can be reported from the relay to a Central Activity Logging (CAL) server in Syslog format. The relay is the CAL client and it sends the events to a CAL server which can be SDM600 or any other tool capable of handling the Syslog format.
There can be a maximum of two CAL servers connected to the protection relay at any time. To enable logging of the audit trail events to a Syslog server, the User Activity Logging feature needs to be enabled in the protection relay and parameters need to be set for each UAL server where it is required to send the audit trail events.
|
Parameter |
Options |
Description |
|---|---|---|
|
Enable UAL |
Enable |
Enables user activity logging at the CAL server |
|
Disable (Default) |
Disables user activity logging at the CAL server |
|
|
Server IP |
User-entered value |
IP address of the CAL server |
|
Communication type |
UDP (Default) |
Uses UDP for communication with the CAL server |
|
TCP |
Uses TCP for communication with the CAL server |
|
|
Communication port |
514 (Default) |
Port used for UDP |
|
1468 |
Port used for TCP |
This can be done in from LHMI, WHMI or Parameter Setting in PCM600. The CAL server also needs to be configured with the details of the relay.
- Port number: Same as the port number set in the relay
- IP address: IP address of the relay from which the CAL server receives the log events
The events logged into the Syslog server have the following information:
- Date and time when the event occurred
- Event ID: Each event has a unique security ID
- Serial number (SOE number): This is a sequential number which indicates the sequence of occurrence of the event
- User and role name: The user who performed the event and the role associated with that user
- Severity: Whether it is a security event or alert
- Extra Info: Contains additional useful information about the event