Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Logging

You can track operations, monitor security, and investigate potential errors using the audit logs created by the SVP.

Introduction

Audit logs are created on the Service Processor (SVP) computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.

Overview

The audit log is an important tool that you can use to keep track of operations, to monitor security, to investigate the cause of errors, and to avoid potential errors.

Audit logs are created on the SVP computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.

Audit logs store the following histories:

  • Operations performed from a Device Manager - Storage Navigator computer or an SVP.
  • Commands that the storage system received from a host, a computer using CCI, or a host using Business Continuity Manager.
  • Operations and events about encryption keys for data encryption.
  • Operations for Maintenance Utility

The history may not be output in chronological order. This history includes the user, the time of the operation, the name of the operation, any parameters set, and the end result (normal completion or error message). Each audit log file ends with a serial number, from 0,000,000,000 to 4,294,967,295. When the number reaches 4,294,967,295, it resets and starts over at 0,000,000,000.

There are two types of audit log files:

  • Audit log file, which consists of two files:
    • Auditlog information file 1 contains operations performed from the Device Manager - Storage Navigator computer or SVP, operations about encryption keys, and operations for Mainteance Utility.
    • Auditlog information file 2 contains commands sent from a host, a computer using CCI, or a host using Business Continuity Manager, and events about encryption keys.

    You can download them to your Device Manager - Storage Navigator computer or transfer to a primary or secondary FTP server.

  • Syslog file. This file contains the audit log. You can download it to your Device Manager - Storage Navigator computer or transfer it to a primary or secondary syslog server.

    The syslog file has two types of formats: RFC3164-compliant and RFC5424-compliant. You can select either of the formats when downloading syslog files and transferring syslog files to syslog servers.

Features

The audit log feature stores a history of all operations performed on a computer using the Device Manager - Storage Navigator feature. This history includes the user, the time of the operation, the name of the operation, any parameter set, and the end result (normal completion or error message). The audit log file records until full and then starts over, rerecording from the beginning of the file.

Audit Log file description

The following table describes the audit log file components:

Component

Audit Log File

Syslog File

File Type

Text format.

Auditlog information file 1

Auditlog information file 2

Files are compressed in tgz format.

Text format.

syslogYYYYMMDD.tgz stores syslog-svp.log (audit log file for SVP) and syslog-dkc.log (audit log file for DKC).

Downloaded File Name

AuditYYYYMMDD.tgz

where

YYYY = year

MM = month

DD = day

The file name can be changed when downloading.

syslogYYYYMMDD.tgz

where

YYYY = year

MM = month

DD = day

The file name can be changed when downloading.

File Name Transferred to the FTP Server

When the file is automatically transferred:

Audit-SVPSSSSSYYYYMMDDHHMMSS.tgz or Audit-DKCSSSSSYYYYMMDDHHMMSS.tgz

When the file is manually transferred:

AuditSSSSSYYYYMMDDHHMMSS.tgz

where

SSSSS = serial number

YYYYMMDD = date of the transfer

HHMMSS = hour (HH), minute (MM) and second (SS) of the transfer

The output folder must be specified in the FTP tab on the Edit Audit log Settings window.

N/A

Linefeed Codes

CR + LF

The standard linefeed codes for Windows. Some text editors cannot display these codes correctly.

LF

The standard linefeed code for UNIX. Some text editors cannot display this code correctly.

File Output

Contains login and logout information as well as basic and detailed information about settings made for each option.

  • Basic information consists of information common to each audit log.
  • Detailed information consists of information about the operations of each executed option. This includes an index representing each item and its values.

Contains the same information as released to the audit log file. However the output format differs between the audit log file and syslog file. (some items are output to the syslog file only.)

Maximum Line Size

1,024 bytes

1,024 bytes

Maximum Number of Lines

250,000 lines

250,000 lines

Maximum Size of Files

122.5 MB

488.2 MB

When Reaching the Maximum Number of Lines

The newest data overwrites the oldest data (wrap around).

GUID-58501DA6-6805-45F0-A384-E29E64D1E751-low.png is shown on the Device Manager - Storage Navigator main window.

The newest data overwrites the oldest data (wrap around).

Also, the following log is output in the syslog file.

  • [AuditLog], Over MaxLine

Threshold of the Maximum Number of Lines and When Reaching Threshold

The threshold value is 70% (175,000 lines) of the maximum number of lines.

  • If the audit log information reaches the threshold, a warning message urging you to download the audit log file appears when you log in Device Manager - Storage Navigator. Also, GUID-C3BC5545-E30B-454C-A4E3-0104D1F975E1-low.png is shown on the Device Manager - Storage Navigator main window.
  • If you set to transfer files to an FTP server, the audit log file will be automatically transferred to the FTP server when the information stored in the audit log file reaches the threshold.
  • After you download or transfer the audit log file, the counter is reset and monitoring will start from 0% again.

The threshold value is 70% (175,000 lines) of the maximum number of lines.

When the audit log information reaches the threshold, the following log is output in the syslog file.

  • [AuditLog], Over Threshold

If this log is output, download the file as necessary before old information is overwritten. After you download the file, the counter is reset and monitoring will start from 0% again.

Audit log file format

The following figures show sample audit log files:

Audit Log File 1 (SVP) GUID-61F049FC-AA19-4B87-83A5-4D46CBA2BA07-low.png
Audit Log File 2 (DKC) GUID-2085285D-6F7C-411F-A949-5069A36C8E95-low.png
Basic Information

Each item output in the audit log information file is delimited by commas (,).

No.

Item

File 1 (SVP)

File 2 (DKC)

GUID-B0DC424D-70DF-4726-AC03-0AF103B7EA51-low.gif

Version

XXYY indicates the model name (XX) and the version number in audit log output format (YY). When the output format is changed, the value of YY is updated.

See Log output formats for different versions for the changed contents of XXYY.

Same as File 1.

GUID-BBEC18BD-4C33-4178-8E12-9A82906762CB-low.gif

Date

YYYYMMDD indicates the year, month, and day the audit log was created.

A date and a time being set on the SVP are output as log data. If a failure, such as an SVP failure and a LAN failure, occurs in the storage system, the data and the time may be output of the accumulated date and time since January 01, 1970.

YYYYMMDD indicates the year, month, and day the audit log was created.

A date and a time that were received from the storage system are output as log data.

GUID-30CD7BA2-0B56-443A-9E68-B58830019FAF-low.gif

Time

HH:MM:SS.xxx indicates the hour, minute, second, and millisecond the audit log was created.

Same as File 1.

GUID-E56F7B9C-E1A0-4C46-A06F-CD2BE99C40D0-low.gif

Time zone

The time difference between Coordinated Universal Time (UTC) and the local time is displayed as "±HH:MM" (HH: hour, MM: minute).

For example:

"+09:00", "-08:00", "00:00"

Same as File 1.

GUID-8EB0A117-236B-4F32-B309-E10F89DA965D-low.gif

Interface

  • RMI AP indicates the log for Device Manager - Storage Navigator and Remote Method Invocation Applications such as Hitachi Command Suite (HCS).
  • SVP indicates the log for the SVP.
  • RM AP indicates the log for Remote Maintenance Application.
  • GUM indicates the log for Maintenance Utility
  • In-band OPEN: Logs for commands received from open-system hosts, or FC-SP authentication logs
  • In-band MF: Logs for commands received from mainframe-system hosts
  • Out-of-band: Logs for commands received from computers using CCI
  • No output for the event logs about encryption keys.

GUID-90AB24DD-3A00-4F49-AC5B-FA025C38D2FF-low.gif

Login user Name

  • A user name is output for Device Manager - Storage Navigator, RMI AP or SVP operations.
  • <System> is output when the SVP detects the failure.
  • No output for RM AP operations.
  • A user name is output for commands received by a command device for authentication.
  • <Host> is output for other commands.
  • <system> is output for the event about encryption keys.

GUID-C6F83511-3C3A-4C6F-B72D-29B2D396C74A-low.gif

Task name

Task name specified when a task is registered. No task name is output when a user performs operations using the Device Manager - Storage Navigator secondary window.

No output.

GUID-157D1856-67C5-41F3-807C-7A1EAA7982E2-low.gif

Function name

The abbreviation indicating the function that performed the operation.

  • Maintenance window name is output for SVP operations.
  • User Auth indicates an user authentication command.
  • FC-SP indicates a device authentication command.
  • Config Command indicates a configuration changing command.
  • [ENC] is output for the event about encryption keys.

GUID-59224282-ED56-417F-807B-69A7F8B157F8-low.gif

Operation or event name

The operation or event name.

The following items are output only when Function name is User Auth. No output for other operations.

  • Login indicates that a log-in command is received.
  • Logout indicates that a log-out command is received.

The event name is output when the function name is [ENC].

GUID-E1FB0B00-82DE-45D9-A81A-E28B35802F86-low.gif

Parameters

Parameters for certain functions.

No output.

GUID-A1C62444-9492-44B0-AD89-930372342878-low.gif

Result

The result of your operation.

  • Normal end. The operation has ended normally.
  • Error (xxxx-yyyyy). The operation has ended abnormally.
  • Warning (xxxx-yyyyy). The operation has partly ended abnormally or was canceled during the operation.

xxxxx-yyyyyy is an error code. xxxxx is a part code of four or five digits showing where the error occurs. yyyyyy is a message ID of four, five, or six digits. For more information about error codes, see Hitachi Device Manager - Storage Navigator Messages. Note that error codes "xxxx-yyyyy" appear only for Device Manager - Storage Navigator operations.

The result of the received commands.

  • Normal end. The authentication has ended normally, or the event about encryption keys occurs.
  • Error. The authentication has ended abnormally.
  • Accept. Received the commands from the host.
  • Reject. Rejected the commands from the host.

GUID-D0A85DFD-1606-43DA-BAF9-F7CE2577665E-low.gif

Host Identifica- tion

An IP address (IPv4 or IPv6) is output for Device Manager - Storage Navigator, RMI AP and SVP operations. The IP address may be that of the proxy server or the router depending on the configuration of the connected network.

No output for RM AP operations. No output when the login user name is <System>.

If both IPv4 and IPv6 are available for communication between the Device Manager - Storage Navigator computer and the SVP, the Device Manager - Storage Navigator secondary window uses IPv4 communication. In this case, IPv4 addresses are output to audit logs.

  • A WWN is output for unauthenticated open-system host.

    When a command is received from a different storage system, a WWN for the storage system sending the command is output.

  • A host name is output for authenticated open-system hosts.
  • A serial number is output for main-frame system hosts.

    When a command is received from a different storage system, a serial number for the storage system sending the command is output.

  • A host name is output for computers using CCI.
  • A WWN is output for the FC-SP authentication.
  • No output for the event about encryption keys.
  • If an operation is performed through the REST API, an IP address used in the storage system might be displayed.

GUID-52C8245A-F912-4B80-A35A-14759E149E9C-low.gif

Application Identifica-tion

No output.

  • An internal-use ID is output for open-system hosts.
  • An LPR number is output for mainframe system hosts.
  • 0x0000 is output if a command comes from other storage system.
  • No output for other commands.

No output for the FC-SP authentication, computers using CCI, hosts using Business Continuity Manager or the event about encryption keys.

GUID-8139700F-1004-4115-B1F3-7617D2E33DD0-low.gif

Serial number

The serial number of the saved log information (0000000000 to 4294967295). When the number reaches 4,294,967,295, it is reset to 0000000000.

Same as File 1.

Detailed Information

The indexes that indicate the set items and the setting values are output to the detailed information. There are two types of the detailed information format.

Detailed information format 1

Example:

+Copy Type=TI
++{P-VOL(LDKC:CU:LDEV),S-VOL(LDKC:CU:LDEV),PoolID,MU,
Snapshot Group,Result}
=[{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,1,SnapshotSet1,Normal end},
{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,,SnapshotSet2,Error(xxxx-yyyy)}],
Num. of Pairs=2

Symbol

Definition

+ and -

'+' or '-' is displayed at the beginning of a line.

'+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.

'-' means that the line continues from the previous line.

=

Connects an index and a setting value.

[ ]

When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,).

Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02]

{ }

Details are enclosed by {}.

Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}]

( )

Supplementary and additional information for setting values are enclosed by ( ).

Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)}

Note
  • If there is an item that is not specified when entering commands or performing operations, a hyphen (-) is output for its setting value, no setting value is output, or the index itself is not output.
  • For audit logs generated by commands sent from hosts, computers using CCI, or hosts using Business Continuity Manager, if an invalid value is specified when entering commands, numerical characters might be output in the index for character strings and vice versa.
  • For audit logs generated by events related to encryption keys, if an audit log to be output contains invalid values, numerical characters might be output in the index for character strings or nothing is output for detailed information.
  • For audit logs output in Audit log information file 2 (DKC), values different from the specified ones might be output because optimal values might be automatically assigned in DKC.
Detailed information format 2

Example:

+{Alus[0]{
  Id="60-06-0E-81-30-76-D9-30-76-D9-00-00-00-00-00-49",
  Result=Normal end,LdevId=0x00:0x00:0x49}}
NoteLine feeds are added to make the example easy to see, while no line feed is added to the actual logs.

Symbol

Definition

+ and -

'+' or '-' is displayed at the beginning of a line.

  • '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.
  • '-' means that the line continues from the previous one.

{ }

The tiering relation is indicated by the following format.

Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...}

=

Connects an index and a setting value.

[x]

For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows.

Setting item[x] (where x is a number: 0, 1, 2,...)

NoteIf there is an item that is not specified when entering commands or performing operations, "null" is output for its setting value, or the index itself is not output.

Log output formats for different versions

Version number

Changes

0901

The log output format for DKCMAIN program version 90-00-0x-xx/xx (xx is a two-digit number.) or later.

Syslog file format

Syslog file format (RFC3164-compliant)

The following figure shows a sample syslog file.

GUID-83E9E479-807C-420F-A3BB-9816CEDF5447-low.png

Either item 29 or item 30 is output in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 × Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means that the operation has ended abnormally. Warning means that the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, if Severity is 4 (Error), <12> is output as the priority value.

2

Date, time*

The date and time in the format of "MMM DD HH:MM:SS" (MMM: month such as Jan or Dec, DD: day, HH: hour, MM: minute, and SS: second).

If DD is a single digit (for example, 1), it is displayed as " 1" (with a blank space before "1") and not as "01".

3

Detected location

The host name (SVP)

4

Program name

The detection entity identifier (Storage)

5

Unified specification identification

The Unified specification identifier (CELFSS)

6

The revision number of the Unified specification document (1.1)

7

Message identification

The serial number of the syslog header information

8

No output

9

Date, time#2*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DDThh:mm:ss.s±hh:mm"

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place
  • ±hh:mm: hours and minute of the time difference. "Z" is displayed instead of "±hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T23:06:58.0Z".

10

Detection entity

The detection entity identifier (Storage)

11

Detected location

The host name (SVP)

12

Type of audit event

The category name of the event

  • Authentication: Authentication, for example, for RMI
  • ConfigurationAccess: Setting from Device Manager - Storage Navigator, SVP, host, CCI, or Business Continuity Manager
  • Maintenance: SVP operations
  • AnomalyEvent: The Audit Log reached the maximum, and so on.
  • ExternalService: Remote maintenance operations through SVP

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Subject identification

The user name in the format of "uid=user name"

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.

15

Hardware identification

The ID (R900) to identify the model name of the product and the serial number (five-digit number: 00001 to 99999) divided by a colon (for example, "R900:312334")

16

Generated location

No output

17

Related information

The location identification name set by the user in the Syslog tab on the Edit Audit Log Settings window

18

No output

19

No output

20

Agent information

No output

21

Detailed information

Identification of the host sending the request

This information is output when a command is received from the host unless it is FC-SP authentication.

22

No output

23

No output

24

No output

25

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

This information is output only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

26

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

27

Identification of the application. This information is output when commands are sent from the host.

28

No output

29

The same information contained in the basic information of the audit log file

  • External interface name
  • Task name
  • Function name
  • Operation name or event name
  • Parameter
  • Result of operation or command receipt
  • Serial number of log information

Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

30

The same information contained in the detailed information of the audit log file

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970.

Syslog file format (RFC5424-compliant)

GUID-79E6CB5E-823E-4E85-8ED4-0E054AEB3865-low.png

Either item 21 or item 22 is output in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 × Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means that the operation has ended abnormally. Warning means that the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, if Severity is 4 (Error), <12> is output as the priority value.

2

Version

The version (1)

3

Date, time*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DDThh:mm:ss.s±hh:mm"

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place
  • ±hh:mm: hours and minute of the time difference. "Z" is displayed instead of "±hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T23:06:58.0Z".

4

Detected location

The host name (SVP)

5

Program name

The detection entity identifier (Storage)

6

Process name

The process name (-)

7

Message ID

The message ID (-)

8

Structured data

The structured data (-)

9

Unified specification identification

The unified specification identifier (CELFSS)

10

The revision number of the unified specification document (1.1)

11

Message identification

The serial number of the syslog header information

12

Type of audit event

The category name of the event

  • Authentication: Authentication, for example, for RMI
  • ConfigurationAccess: Setting from Device Manager - Storage Navigator, SVP, host, CCI, or Business Continuity Manager
  • Maintenance: SVP operations
  • AnomalyEvent: The Audit Log reached the maximum, and so on.
  • ExternalService: Remote maintenance operations through SVP

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Account identification

The user name in the format of "uid=user name"

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.

15

Hardware identification

The ID (R900) to identify the model name of the product and the serial number (five-digit number: 00001 to 99999) divided by a colon (for example, "R900:312334")

16

Related information

The location identification name set by the user in the Syslog tab of the Edit Audit Log Settings window

17

Detailed information

Identification of the host sending the request

This information is output when a command is received from the host unless it is FC-SP authentication.

18

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

This information is output only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

19

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

20

Identification of the application. This information is output when commands are sent from the host.

21

Detailed information

The same information contained in the basic information of the audit log file

  • External interface name
  • Task name
  • Function name
  • Operation name or event name
  • Parameter
  • Result of operation or command receipt
  • Serial number of log information

Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

22

The same information contained in the detailed information of the audit log file

No serial number is output when the category name is "AnomalyEvent".

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970.

Using audit logs

You can download audit log files and syslog files to Device Manager - Storage Navigator computer or transfer audit log files to FTP servers or syslog servers.

Downloading audit log files

Download the audit log files to Device Manager - Storage Navigator computer to prevent the old data from being overwritten. It takes from one to five minutes to download the audit log file.

CautionDo not download the audit log file to the Device Manager - Storage Navigator computer if the audit log is set to be transferred to an FTP server. Some information may not be transferred to the FTP server because the line counter resets when the audit log file is manually downloaded. Download the file only when the FTP server has failed and cannot receive the audit log file. If you want to transfer the audit log to the FTP server after downloading the log, transfer it manually. See Manually transferring audit log files to FTP servers for more information.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download audit log files.

Procedure

  1. Click Audit Log on the menu bar of the Device Manager - Storage Navigator main window. The Audit Log Properties window opens. Each icon displayed on the menu bar indicates the accumulated status of the audit log information.

    • GUID-29442324-5CBA-44F3-8EFF-D647615CF1D7-low.png indicates that the number of saved lines is below the threshold.
    • GUID-C3BC5545-E30B-454C-A4E3-0104D1F975E1-low.png indicates that the number of saved lines is above the threshold, but the data is still being saved.
    • GUID-58501DA6-6805-45F0-A384-E29E64D1E751-low.png indicates that the number of saved lines has exceeded the maximum, and data is partly lost because the newest lines overwrote the oldest lines.
  2. Click Download to open the Save As dialog box. This operation downloads both the auditlog information file 1 and the auditlog information file 2.

  3. Select a destination for the file and click Save.

  4. Click Close to close the Audit Log Properties window.

Downloading syslog files

Syslog files stored in the storage system can be downloaded to the Device Manager - Storage Navigator computer as necessary. It takes from one to five minutes to download the syslog file.

NoteIf you download syslog files of a storage system whose controller model was upgraded, the storage system name in the Hardware identification item becomes the storage system name after upgrade.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download syslog files.

Procedure

  1. Click Settings Security Edit Audit Log Settings. Click the Syslog tab on the Edit Audit Log Settings window.

  2. Select Transfer Protocol. The output file format is different by the selected protocol.

  3. Click Download Syslog. The Specify the Destination dialog box appears.

  4. Enter the destination and the file name and click Save.

Automatically transferring audit log files to FTP servers

If you configure FTP server settings, the audit log will be automatically transferred to the FTP server when the number of lines in the file reaches the threshold.

NoteKeep a list of the items such as the IP address you entered in the FTP tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.

Before you begin

  • You must have Audit Log Administrator (View & Modify) role to configure FTP server settings.
  • Ensure that SVP is connected to the FTP server on a LAN.

Procedure

  1. Click Settings Security Edit Audit log Settings. Click the FTP tab on the Edit Audit Log Settings window.

  2. Perform the following if using a primary FTP server.

    1. Select Enable for the Primary Server.

    2. Select IPv4 or IPv6 on IP Address setting and enter the IP address.

    3. Enter the user name and the password you use to log in to the primary FTP server.

    4. Enter the output folder to which the audit log file is sent with the relative path from the home directory.

  3. Perform the following if using a secondary FTP server.

    1. Select Enable for the Secondary Server.

    2. Select IPv4 or IPv6 on IP Address setting and enter the IP address.

    3. Enter the user name and the password you use to log in to the secondary FTP server.

    4. Enter the output folder to which the audit log file is sent with the relative path from the home directory.

  4. Click Finish.

  5. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  6. Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.

  7. Manually transfer the audit log file to confirm that the FTP server setting is correct.

    1. Check that the transfer setting task to the FTP server is complete on the Task window. If the task has not completed, wait until it is complete.

    2. Transfer the audit log file to the FTP server manually to confirm that the FTP server setting is correct. For details of manual transfer, see Manually transferring audit log files to FTP servers.

Troubleshooting

A SIM notifies a storage administrator that an FTP transfer has failed. This can occur when the audit log file is not transferred to an FTP server because either the FTP server or LAN has failed. You can view the SIM in the Alerts window. The reference code for a failed FTP transfer is 7C0300. If a SIM is reported, do the following:

  • Resolve the error on the FTP server or LAN, and then manually transfer the audit log file. And then complete the SIM referring to Completing SIM generated when FTP transfer of audit log files failed.

    If the instructions in SIM is not complete, SIM will not be generated on next transfer failure.

  • If the error condition cannot be resolved, download the audit log file to the Device Manager - Storage Navigator computer by clicking Audit Log on the upper right of the Device Manager - Storage Navigator main window.

Completing SIM generated when FTP transfer of audit log files failed

Before you begin

  • You must have Audit Log Administrator (View & Modify) and Storage Administrator (System Resource Management) role to complete SIM.

Procedure

  1. Click Settings Security Edit Audit log Settings. Click the FTP tab on the Edit Audit Log Settings window.

  2. Select Complete SIMs check box.

  3. Click Finish.

  4. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  5. Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.

Manually transferring audit log files to FTP servers

You can transfer the audit log file manually from the SVP to the FTP server.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role.
  • Ensure that SVP is connected to the FTP server on a LAN.
  • Transfer setting to the FTP server must be finished. For how to set, see Automatically transferring audit log files to FTP servers.

Procedure

  1. Click Settings Security Edit Audit log Settings. Click the FTP tab on the Edit Audit Log Settings window.

  2. Click Transfer to Primary Server or Transfer to Secondary Server. A message appears indicating that the transfer has completed.

Transferring audit log to syslog servers

If you configure syslog server settings, the audit log will always be transferred to the syslog server and stored as the syslog files.

You can select either of the following protocols to transfer the audit log to the syslog server. The output file format is different by the selected protocol.

  • TLS1.2/RFC5424
  • UDP/RFC3164
NoteWhen you use UDP/RFC3164, consider the characteristics of UDP (User Datagram Protocol) when designing a network. See http://www.ietf.org./rfc/rfc3164.txt (Request for Comments) issued by IETF (Internet Engineering Task Force) for more details.
NoteKeep a list of the items such as the IP address you entered in the Syslog tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.

Before you begin

  • You must have Audit Log Administrator (View & Modify) role to configure syslog server settings.
  • Make sure that the storage system is connected to syslog servers on a LAN.
  • Make sure that the syslog servers are configured so as to transfer audit logs to the syslog servers.
  • The syslog server certificate and the client certificate are required to use TLS1.2/RFC5424.
  • If you use the new syslog protocol (TLS1.2/RFC5424), you must specify, for subjectAltName or CommonName in the syslog server certificate, the host name or IP address of the syslog server.
  • If you specify the host name of the syslog server as the transfer destination, you must register the host name and domain name of the syslog server in the DNS server.
CautionIf audit logs are transferred before configuring the setting of a syslog server to which the audit logs are transferred, the logs are not saved on the syslog server and lost. See the user manual of the syslog server for the details of the syslog server setting.

Procedure

  1. Click Settings Security Edit Audit Log Settings. Click the Syslog tab on the Edit Audit Log Settings window.

  2. Select New Syslog Protocol (TLS1.2/RFC5424) or Old Syslog Protocol (UDP/RFC3164).

  3. Select Enable for the Primary Server.

    1. Specify the IPv4 address, IPv6 address, or host name of the syslog server to which you want to send syslog data. To specify the host name, select Identifier and then enter up to 255 characters of alphabets, numerals, and symbols (! $ % - . @ _ ` ~).

    2. Enter the Port Number in the primary server setting.

    3. Enter client certificate file name, password, and root certificate file name (only when you choose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  4. Perform the following if using a secondary syslog server.

    1. Select Enable for the Secondary Server.

    2. Specify the IPv4 address, IPv6 address, or host name .

    3. Enter the Port Number in the secondary server setting.

    4. Enter client certificate file name, password, and root certificate file name (only when you chose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  5. Enter the name of the storage system from which you are transferring the audit log file in Location Identification Name.

  6. If New Syslog Protocol (TLS1.2/RFC5424) is selected for Transfer Protocol, specify Timeout, Retry Interval, and Number of Retries.

  7. If you want to transfer the detailed information of audit log to the syslog server, select Enable for Output Detailed Information.

  8. Click Send Test Message to Syslog Server to test the settings.

  9. Check that the test log (function name AuditLog, operation name Send Test Message) has been sent to the syslog server.

  10. Click Finish.

  11. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  12. Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.

  13. Confirm that the syslog server is receiving the log of syslog server setting when the task has completed. The function name of the log is "AuditLog" and the operation name is "Set Syslog Server".

    If the audit log is not received by the syslog server, check whether the set IP address or host name, and port number matches the IP address or host name, and port number of the syslog server, and make sure that the setting of the client certificate, password, and the Root Certificate File Name are correct. If the settings in Device Manager - Storage Navigator are correct, make sure that the settings on the syslog server are correct. If you specify the host name of the syslog server as the transfer destination, make sure that the host name and domain name of the syslog server are registered in the DNS server. See the user manual of the syslog server for the details of the syslog server setting.