Logging
The audit log files contain records of the operations performed on the storage system, including the user who performed the operation and the date and time, as well as the storage system behaviors resulting from the operations. For storage systems with an SVP, the audit log files are stored in the SVP or in the storage system depending on the type of log. For storage systems without an SVP, the audit log files are stored in the storage system. To access the collected log files, you must configure the storage system to transfer the log files to the syslog server and export an audit log file before you can view an audit log for the storage system.
Overview
A log file provides historical data on user operations performed on the storage system as well as program behaviors resulted from the operations. It reveals who did what to the storage system and it can be a helpful tool for investigating problems or conducting non-technical departmental audits.
Depending on the types of logs, collected logs are stored in either the SVP or the storage system. In order to access the collected logs, the storage system must be configured to transfer logs to syslog servers. Once configured, logs are automatically transferred to the syslog servers from the storage system or the SVP.
The stored audit logs can be transferred to a syslog server.
Log accumulation in the storage system
When the storage system stops transferring logs tosyslogservers due to problems, such as a network failure, the logs get accumulated in the storage system or theSVPas non-transferred logs as a result. This is flagged as a warning on the management interface andSIMis sent, prompting actions by the administrator. In contrast, whensyslogservers are not in use logs also accumulate in the storage system, but this does not generate any flags as it is a normal system behavior.
The following table provides the upper limitations for accumulated non-transferred logs in each storage component.
If audit logs are not transferred to syslog servers due to a LAN failure etc., the logs are accumulated as a non-transferred log. Once non-transferred logs are accumulated, the icon showing the accumulated status in the window changes or a SIM is generated.
When syslog servers are not used, logs are accumulated as a non-transferred log, but the icon showing the accumulated status in the window does not change or a SIM is not generated.
Maximum number of lines1 | Log status on Device Manager - Storage Navigator | SIM |
SVP: 250,000 lines |
The icon shown in the upper right of the main window changes.
For details about how to handle these problems, see SIM codes. |
|
Storage system (GUM): 1,000 lines |
A SIM is generated. For details, see SIM codes. | |
Storage system (DKC):
| ||
Notes:
|
SIM codes
The following table shows the SIM codes that were issued and how to handle when not transferred logs were accumulated.
If audit logs are not transferred to syslog servers due to a LAN failure etc., the logs are accumulated as a non-transferred log. Once non-transferred logs are accumulated, the icon showing the accumulated status in the window changes or a SIM is generated.
When syslog servers are not used, logs are accumulated as a non-transferred log, but the icon showing the accumulated status in the window does not change or a SIM is not generated.
SIM code | Event |
7d03xx1 |
The number of accumulated logs reaches the threshold 2. |
7d04xx1 |
Some audit logs are overwritten and some data are lost because the file is full. |
Notes:
|
Perform the following when non-transferred logs are accumulated.
- Export non-transferred logs.
All stored audit logs including transferred logs are exported in this operation.
- Which operation window to be used depends on where the audit logs are stored.
Type/contents of audit log |
Stored place |
Exporting operation window |
|
SVP |
Audit Log Properties window |
|
Storage system (GUM and DKC) |
Audit Log Settings window |
- Eliminate the cause of the transfer failure to the syslog server,
and then conduct a test transfer of syslogs to confirm that the transmission is
recovered.NoteEven if the transmission is recovered, audit logs generated during the transfer failure are not retransferred.
For more information about descriptions on audit log settings and exporting audit logs, see System Administrator Guide.
Audit log files
In an event the storage system stops transferring logs to syslog servers, you can export the accumulated non-transferred logs after getting notified of such event. Export operations will export all logs stored in the system including transferred logs. Eliminate the cause of the transfer failure and confirm that transfer is recovered.
Determine what tool to use to export using the information provided in the following table:
Type or contents of audit log |
Storage place |
Exporting operation window |
| SVP |
Audit Log Properties window |
| Storage system (Maintenance utility and DKC) |
Audit Log Settings window |
Audit log settings window
The following figure is the Audit Log Setting window in the maintenance utility.
The Audit Log Settings window shows the current audit log settings. Select one of more of the three tabs to change the settings.
Setting up a syslog server
Use the following procedure to set up a syslog server for your storage system.
Before you begin
- You must have the Audit Log Administrator (View & Modify) role to perform this task.
Procedure
In the maintenance utility, expand the Administration tree, and then select Audit Log Settings.
Click Set Up Syslog Server.
In the Set Up Syslog Server for Audit Logs window:
Select the desired Transfer Protocol.
Enable or disable the Primary Server.
Enable or disable the Secondary Server.
Enter the Location Identification Name.
Enable or disable the Retry. If enabled, enter the desired retry interval.
Enable or disable the Output Detailed Information.
When are finished specifying the syslog server settings, click Apply to save the settings and close the window.
Exporting audit log files stored in the SVP
In the main window, click Audit Log on the menu bar.
The icons on the menu bar show the accumulated status of the audit log files.From the Audit Log Properties window, click Download (SVP) to export logs operated by the Device Manager - Storage Navigator client computer (SVP window). Click Download (DKC) to export commands sent from a host or computers using CCI or logs of events on encryption keys.
The preparation message appears.Item
Description
Usage Rate
Indicates how much of storage capacity of the non-transfer audit logs is used in comparison to the maximum storage capacity.
Download (SVP)
Audit logs of the following contents or type are exported:
- Operation set by the client PC
- Operation logs of encryption keys for encrypting stored data
- Execution logs of Remote Maintenance API
Click OK.
A window opens where you can specify the export destination.Specify the export destination and file name, and then click Save.
Click Close.
Exporting audit log files stored in the storage system
You can export audit logs from either the controller or the GUM located on the controller.
The storage system has two controllers, so to get audit logs for the complete system, you must log-in to the maintenance utility on each controller to export the audit log individually.
Before you begin
You must have the Audit Log Administrator (View Only) role to perform this task.
Procedure
In the maintenance utility under Administration menu, select Audit Log Settings.
Click Export Audit Log in the Audit Log Settings window to select GUM or DKC.
Click OK.
NoteThe security confirmation window is displayed. If the certificate is invalid at the time of the connection, the security confirmation window is displayed. If the security confirmation window is displayed, select Continue to this website (not recommended).Save the file to the folder containing audit logs.
NoteIf you change the location identification name of a syslog server, the location identification name on new audit logs could be changed retroactively.NoteIf you change the UTC time zone setting of the storage system, the times recorded on new audit logs could be changed retroactively.
Send test message to syslog server
Use the following procedure to send a test audit log message to the syslog server.
Before you begin
You must have the Audit Log Administrator (View Only) role to perform this task.
Procedure
In the maintenance usage Administration tree, select Audit Log Settings.
Click Send Test Message to Syslog Server. The following message box opens:
Click OK to close the message box. Check the syslog server messages and verify that the test message was received and is on the server.
Next Steps
- Understand log files: Audit log file format
- Use a quick reference of events and functions in troubleshooting tasks: Audit logs quick reference