Audit events are written to the Audit Log in the web interface, as syslog messages in standard format or in CEF format. You must enable audit event logging in Audit Log settings.
Audit events include events of the following types:
If audit event logging is disabled in the application settings, authentication events are still recorded as standard syslog messages of the authpriv(10) category.
When a node is removed from the cluster, the events stored on that node are deleted.
If the size of the record about modified settings in an audit event exceeds 32 KB, the event record is split into parts, each part smaller than 32 KB. Characters that could not fit in a part are moved to the next part without adding a hyphen character. This means that a single event is represented in the Audit Log as multiple records, each of which contains the same event information and part of the information about modified settings. Parts of the same event are numbered in the Event part field. The total number of parts the event is split into is indicated in the Total event parts field.
To record events in syslog and CEF format, you need to configure Syslog so that it can receive 65 KB messages and support high-frequency logging of events.