Logging
You can track operations, monitor security, and investigate potential errors using the audit logs created by the SVP.
Introduction
Audit logs are created on the Service Processor (SVP) computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.
Overview
The audit log is an important tool that you can use to keep track of operations, to monitor security, to investigate the cause of errors, and to avoid potential errors.
Audit logs are created on the SVP computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.
Audit logs store the following histories:
- Operations performed from a Device Manager - Storage Navigator computer or an SVP.
- Commands that the storage system received from a host, a computer using CCI, or a host using Business Continuity Manager.
- Operations and events about encryption keys for data encryption.
- Operations for Maintenance Utility
The history may not be output in chronological order. This history includes the user, the time of the operation, the name of the operation, any parameters set, and the end result (normal completion or error message). Each audit log file ends with a serial number, from 0,000,000,000 to 4,294,967,295. When the number reaches 4,294,967,295, it resets and starts over at 0,000,000,000.
There are two types of audit log files:
- Audit log file, which consists of two files:
- Auditlog information file 1 contains operations performed from the Device Manager - Storage Navigator computer or SVP, operations about encryption keys, and operations for Mainteance Utility.
- Auditlog information file 2 contains commands sent from a host, a computer using CCI, or a host using Business Continuity Manager, and events about encryption keys.
You can download them to your Device Manager - Storage Navigator computer or transfer to a primary or secondary FTP server.
- Syslog file. This file contains the audit log. You can download it to your
Device Manager - Storage Navigator computer or transfer it to a primary or secondary syslog server.
The syslog file has two types of formats: RFC3164-compliant and RFC5424-compliant. You can select either of the formats when downloading syslog files and transferring syslog files to syslog servers.
Features
The audit log feature stores a history of all operations performed on a computer using the Device Manager - Storage Navigator feature. This history includes the user, the time of the operation, the name of the operation, any parameter set, and the end result (normal completion or error message). The audit log file records until full and then starts over, rerecording from the beginning of the file.
Audit Log file description
The following table describes the audit log file components:
Component | Audit Log File | Syslog File |
File Type | Text format. Auditlog information file 1 Auditlog information file 2 Files are compressed in tgz format. | Text format. syslogYYYYMMDD.tgz stores syslog-svp.log (audit log file for SVP) and syslog-dkc.log (audit log file for DKC). |
Downloaded File Name |
AuditYYYYMMDD.tgz where YYYY = year MM = month DD = day The file name can be changed when downloading. | syslogYYYYMMDD.tgz where YYYY = year MM = month DD = day The file name can be changed when downloading. |
File Name Transferred to the FTP Server |
When the file is automatically transferred: Audit-SVPSSSSSYYYYMMDDHHMMSS.tgz or Audit-DKCSSSSSYYYYMMDDHHMMSS.tgz When the file is manually transferred: AuditSSSSSYYYYMMDDHHMMSS.tgz where SSSSS = serial number YYYYMMDD = date of the transfer HHMMSS = hour (HH), minute (MM) and second (SS) of the transfer The output folder must be specified in the FTP tab on the Edit Audit log Settings window. | N/A |
Linefeed Codes | CR + LF The standard linefeed codes for Windows. Some text editors cannot display these codes correctly. | LF The standard linefeed code for UNIX. Some text editors cannot display this code correctly. |
File Output | Contains login and logout information as well as basic and detailed information about settings made for each option.
| Contains the same information as released to the audit log file. However the output format differs between the audit log file and syslog file. (some items are output to the syslog file only.) |
Maximum Line Size | 1,024 bytes | 1,024 bytes |
Maximum Number of Lines | 250,000 lines | 250,000 lines |
Maximum Size of Files | 122.5 MB | 488.2 MB |
When Reaching the Maximum Number of Lines | The newest data overwrites the oldest data (wrap around). is shown on the Device Manager - Storage Navigator main window. | The newest data overwrites the oldest data (wrap around). Also, the following log is output in the syslog file.
|
Threshold of the Maximum Number of Lines and When Reaching Threshold | The threshold value is 70% (175,000 lines) of the maximum number of lines.
| The threshold value is 70% (175,000 lines) of the maximum number of lines. When the audit log information reaches the threshold, the following log is output in the syslog file.
If this log is output, download the file as necessary before old information is overwritten. After you download the file, the counter is reset and monitoring will start from 0% again. |
Audit log file format
The following figures show sample audit log files:
Each item output in the audit log information file is delimited by commas (,).
No. |
Item |
File 1 (SVP) |
File 2 (DKC) |
|
Version |
XXYY indicates the model name (XX) and the version number in audit log output format (YY). When the output format is changed, the value of YY is updated. See Log output formats for different versions for the changed contents of XXYY. |
Same as File 1. |
|
Date |
YYYYMMDD indicates the year, month, and day the audit log was created. A date and a time being set on the SVP are output as log data. If a failure, such as an SVP failure and a LAN failure, occurs in the storage system, the data and the time may be output of the accumulated date and time since January 01, 1970. |
YYYYMMDD indicates the year, month, and day the audit log was created. A date and a time that were received from the storage system are output as log data. |
|
Time |
HH:MM:SS.xxx indicates the hour, minute, second, and millisecond the audit log was created. |
Same as File 1. |
|
Time zone |
The time difference between Coordinated Universal Time (UTC) and the local time is displayed as "±HH:MM" (HH: hour, MM: minute). For example: "+09:00", "-08:00", "00:00" |
Same as File 1. |
|
Interface |
|
|
|
Login user Name |
|
|
|
Task name |
Task name specified when a task is registered. No task name is output when a user performs operations using the Device Manager - Storage Navigator secondary window. |
No output. |
|
Function name |
The abbreviation indicating the function that performed the operation.
|
|
|
Operation or event name |
The operation or event name. |
The following items are output only when Function name is User Auth. No output for other operations.
The event name is output when the function name is [ENC]. |
|
Parameters |
Parameters for certain functions. |
No output. |
|
Result |
The result of your operation.
xxxxx-yyyyyy is an error code. xxxxx is a part code of four or five digits showing where the error occurs. yyyyyy is a message ID of four, five, or six digits. For more information about error codes, see Hitachi Device Manager - Storage Navigator Messages. Note that error codes "xxxx-yyyyy" appear only for Device Manager - Storage Navigator operations. |
The result of the received commands.
|
|
Host Identifica- tion |
An IP address (IPv4 or IPv6) is output for Device Manager - Storage Navigator, RMI AP and SVP operations. The IP address may be that of the proxy server or the router depending on the configuration of the connected network. No output for RM AP operations. No output when the login user name is <System>. If both IPv4 and IPv6 are available for communication between the Device Manager - Storage Navigator computer and the SVP, the Device Manager - Storage Navigator secondary window uses IPv4 communication. In this case, IPv4 addresses are output to audit logs. |
|
|
Application Identifica-tion |
No output. |
No output for the FC-SP authentication, computers using CCI, hosts using Business Continuity Manager or the event about encryption keys. |
|
Serial number |
The serial number of the saved log information (0000000000 to 4294967295). When the number reaches 4,294,967,295, it is reset to 0000000000. |
Same as File 1. |
The indexes that indicate the set items and the setting values are output to the detailed information. There are two types of the detailed information format.
Example:
+Copy Type=TI ++{P-VOL(LDKC:CU:LDEV),S-VOL(LDKC:CU:LDEV),PoolID,MU, Snapshot Group,Result} =[{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,1,SnapshotSet1,Normal end}, {0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,,SnapshotSet2,Error(xxxx-yyyy)}], Num. of Pairs=2
Symbol |
Definition |
+ and - |
'+' or '-' is displayed at the beginning of a line. '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents. '-' means that the line continues from the previous line. |
= |
Connects an index and a setting value. |
[ ] |
When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,). Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02] |
{ } |
Details are enclosed by {}. Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}] |
( ) |
Supplementary and additional information for setting values are enclosed by ( ). Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)} |
- If there is an item that is not specified when entering commands or performing operations, a hyphen (-) is output for its setting value, no setting value is output, or the index itself is not output.
- For audit logs generated by commands sent from hosts, computers using CCI, or hosts using Business Continuity Manager, if an invalid value is specified when entering commands, numerical characters might be output in the index for character strings and vice versa.
- For audit logs generated by events related to encryption keys, if an audit log to be output contains invalid values, numerical characters might be output in the index for character strings or nothing is output for detailed information.
- For audit logs output in Audit log information file 2 (DKC), values different from the specified ones might be output because optimal values might be automatically assigned in DKC.
Example:
+{Alus[0]{ Id="60-06-0E-81-30-76-D9-30-76-D9-00-00-00-00-00-49", Result=Normal end,LdevId=0x00:0x00:0x49}}
Symbol |
Definition |
+ and - |
'+' or '-' is displayed at the beginning of a line.
|
{ } |
The tiering relation is indicated by the following format. Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...} |
= |
Connects an index and a setting value. |
[x] |
For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows. Setting item[x] (where x is a number: 0, 1, 2,...) |
Log output formats for different versions
Version number |
Changes |
0901 |
The log output format for DKCMAIN program version 90-00-0x-xx/xx (xx is a two-digit number.) or later. |
Syslog file format
Syslog file format (RFC3164-compliant)
The following figure shows a sample syslog file.
No. |
Item |
Description |
1 |
Priority |
The priority of a syslog message is determined according to the following formula, enclosed by angle brackets (< >): Priority = 8 × Facility + Severity Facility is 18 (fixed). Severity depends on the type of log information:
For example, if Severity is 3 (Error), <147> is output as the priority value. |
2 |
Date, time* |
The date and time in the format of "MMM DD HH:MM:SS"
|
3 |
Detected location |
"GUM" (fixed) |
4 |
Program name |
"Storage" (fixed) |
5 |
Message identification |
The serial number (0000000000 to 4294967295) |
6 |
Event type |
Any of the following event category names. (The event category corresponds to Severity.)
|
7 |
Hardware identification |
The storage system name and serial number |
8 |
Related information |
The location identification information set in the Syslog tab of the maintenance utility |
9 |
Detailed information |
The SIM reference code and failure information that are displayed in the alert window |
* A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970. |
Syslog file format (RFC5424-compliant)
The following figure shows a sample syslog file.
No. |
Item |
Description |
1 |
Priority |
The priority of a syslog message is determined according to the following formula, enclosed by angle brackets (< >): Priority = 8 × Facility + Severity Facility is 18 (fixed). Severity depends on the type of log information:
For example, if Severity is 3 (Error), <147> is output as the priority value. |
2 |
Version |
"1" (fixed) |
3 |
Date, time* |
The date, time, and the time difference between UTC (Coordinated Universal Time) and the local time in the format of "YYYY-MM-DDThh:mm:ss.s±hh:mm"
|
4 |
Detected location |
"GUM" (fixed) |
5 |
Program name |
"Storage" (fixed) |
6 |
Process name |
"-" (fixed.) |
7 |
Message ID |
"-" (fixed.) |
8 |
Structured data |
"-" (fixed.) |
9 |
Message identification |
The serial number (0000000000 to 4294967295) |
10 |
Event type |
Any of the following event category names. (The event category corresponds to Severity.)
|
11 |
Hardware identification |
The storage system name and serial number |
12 |
Related information |
The location identification information set in the Syslog tab of the maintenance utility |
13 |
Detailed information |
The SIM reference code and failure information that are displayed in the alert window |
* A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970. |
Using audit logs
You can download audit log files and syslog files to Device Manager - Storage Navigator computer or transfer audit log files to FTP servers or syslog servers.
Downloading audit log files
Download the audit log files to Device Manager - Storage Navigator computer to prevent the old data from being overwritten. It takes from one to five minutes to download the audit log file.
Before you begin
- You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download audit log files.
Procedure
Click Audit Log on the menu bar of the Device Manager - Storage Navigator main window. The Audit Log Properties window opens. Each icon displayed on the menu bar indicates the accumulated status of the audit log information.
- indicates that the number of saved lines is below the threshold.
- indicates that the number of saved lines is above the threshold, but the data is still being saved.
- indicates that the number of saved lines has exceeded the maximum, and data is partly lost because the newest lines overwrote the oldest lines.
Click Download to open the Save As dialog box. This operation downloads both the auditlog information file 1 and the auditlog information file 2.
Select a destination for the file and click Save.
Click Close to close the Audit Log Properties window.
Downloading syslog files
Syslog files stored in the storage system can be downloaded to the Device Manager - Storage Navigator computer as necessary. It takes from one to five minutes to download the syslog file.
Before you begin
- You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download syslog files.
Procedure
Click Syslog tab on the Edit Audit Log Settings window.
. Click theSelect Transfer Protocol. The output file format is different by the selected protocol.
Click Download Syslog. The Specify the Destination dialog box appears.
Enter the destination and the file name and click Save.
Automatically transferring audit log files to FTP servers
If you configure FTP server settings, the audit log will be automatically transferred to the FTP server when the number of lines in the file reaches the threshold.
Before you begin
- You must have Audit Log Administrator (View & Modify) role to configure FTP server settings.
- Ensure that SVP is connected to the FTP server on a LAN.
Procedure
Click FTP tab on the Edit Audit Log Settings window.
. Click thePerform the following if using a primary FTP server.
Select Enable for the Primary Server.
Select IPv4 or IPv6 on IP Address setting and enter the IP address.
Enter the user name and the password you use to log in to the primary FTP server.
Enter the output folder to which the audit log file is sent with the relative path from the home directory.
Perform the following if using a secondary FTP server.
Select Enable for the Secondary Server.
Select IPv4 or IPv6 on IP Address setting and enter the IP address.
Enter the user name and the password you use to log in to the secondary FTP server.
Enter the output folder to which the audit log file is sent with the relative path from the home directory.
Click Finish.
Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.
Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.
Manually transfer the audit log file to confirm that the FTP server setting is correct.
Check that the transfer setting task to the FTP server is complete on the Task window. If the task has not completed, wait until it is complete.
Transfer the audit log file to the FTP server manually to confirm that the FTP server setting is correct. For details of manual transfer, see Manually transferring audit log files to FTP servers.
A SIM notifies a storage administrator that an FTP transfer has failed. This can occur when the audit log file is not transferred to an FTP server because either the FTP server or LAN has failed. You can view the SIM in the
Alerts window. The reference code for a failed FTP transfer is
7C0300
. If a SIM is reported, do the following:
-
Resolve the error on the FTP server or LAN, and then manually transfer the audit log file. And then complete the SIM referring to Completing SIM generated when FTP transfer of audit log files failed.
If the instructions in SIM is not complete, SIM will not be generated on next transfer failure.
-
If the error condition cannot be resolved, download the audit log file to the Device Manager - Storage Navigator computer by clicking Audit Log on the upper right of the Device Manager - Storage Navigator main window.
Completing SIM generated when FTP transfer of audit log files failed
Before you begin
- You must have Audit Log Administrator (View & Modify) and Storage Administrator (System Resource Management) role to complete SIM.
Procedure
Click FTP tab on the Edit Audit Log Settings window.
. Click theSelect Complete SIMs check box.
Click Finish.
Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.
Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.
Manually transferring audit log files to FTP servers
You can transfer the audit log file manually from the SVP to the FTP server.
Before you begin
- You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role.
- Ensure that SVP is connected to the FTP server on a LAN.
- Transfer setting to the FTP server must be finished. For how to set, see Automatically transferring audit log files to FTP servers.
Procedure
Click FTP tab on the Edit Audit Log Settings window.
. Click theClick Transfer to Primary Server or Transfer to Secondary Server. A message appears indicating that the transfer has completed.
Transferring audit log to syslog servers
If you configure syslog server settings, the audit log will always be transferred to the syslog server and stored as the syslog files.
You can select either of the following protocols to transfer the audit log to the syslog server. The output file format is different by the selected protocol.
- TLS1.2/RFC5424
- UDP/RFC3164
Before you begin
- You must have Audit Log Administrator (View & Modify) role to configure syslog server settings.
- Make sure that the storage system is connected to syslog servers on a LAN.
- Make sure that the syslog servers are configured so as to transfer audit logs to the syslog servers.
- The syslog server certificate and the client certificate are required to use TLS1.2/RFC5424.
- If you use the new syslog protocol (TLS1.2/RFC5424), you must specify, for subjectAltName or CommonName in the syslog server certificate, the host name or IP address of the syslog server.
- If you specify the host name of the syslog server as the transfer destination, you must register the host name and domain name of the syslog server in the DNS server.
Procedure
Click Syslog tab on the Edit Audit Log Settings window.
. Click theSelect New Syslog Protocol (TLS1.2/RFC5424) or Old Syslog Protocol (UDP/RFC3164).
Select Enable for the Primary Server.
Specify the IPv4 address, IPv6 address, or host name of the syslog server to which you want to send syslog data. To specify the host name, select Identifier and then enter up to 255 characters of alphabets, numerals, and symbols (! $ % - . @ _ ` ~).
Enter the Port Number in the primary server setting.
Enter client certificate file name, password, and root certificate file name (only when you choose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).
Perform the following if using a secondary syslog server.
Select Enable for the Secondary Server.
Specify the IPv4 address, IPv6 address, or host name .
Enter the Port Number in the secondary server setting.
Enter client certificate file name, password, and root certificate file name (only when you chose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).
Enter the name of the storage system from which you are transferring the audit log file in Location Identification Name.
If New Syslog Protocol (TLS1.2/RFC5424) is selected for Transfer Protocol, specify Timeout, Retry Interval, and Number of Retries.
If you want to transfer the detailed information of audit log to the syslog server, select Enable for Output Detailed Information.
Click Send Test Message to Syslog Server to test the settings.
Check that the test log (function name AuditLog, operation name Send Test Message) has been sent to the syslog server.
Click Finish.
Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.
Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.
Confirm that the syslog server is receiving the log of syslog server setting when the task has completed. The function name of the log is "AuditLog" and the operation name is "Set Syslog Server".
If the audit log is not received by the syslog server, check whether the set IP address or host name, and port number matches the IP address or host name, and port number of the syslog server, and make sure that the setting of the client certificate, password, and the Root Certificate File Name are correct. If the settings in Device Manager - Storage Navigator are correct, make sure that the settings on the syslog server are correct. If you specify the host name of the syslog server as the transfer destination, make sure that the host name and domain name of the syslog server are registered in the DNS server. See the user manual of the syslog server for the details of the syslog server setting.