Audit log file format
The audit log file is a text file in the syslog format. The audit log file has two types of formats: RFC3164-compliant and RFC5424-compliant. Select either one of them when setting for transferring audit log files to syslog servers or exporting audit log files.
An audit log file consists of the following fields: Audit log header, Audit log information (Basic Information), and Audit log information (Detailed Information), whose formats are respectively described in the following topics.
If an audit log file is to be transferred to the syslog server, syslog header information is included before the audit log header, which is described in this chapter. For details about the format of audit log files when audit log files are transferred to the syslog server, see Format of audit log files when audit log files are transferred to the syslog server.
Audit log header format (RFC3164-compliant)
No. |
Item |
Description |
1 |
Priority |
The priority value given by the following formula is output, enclosed by < >. Priority value = 8 x Facility + Severity Facility is 17 (Fixed value). Severity takes the following values, depending on the type of the log information:
For example, if Severity is Error, <140> is output for the priority value. |
2 |
Date, time1 |
The date and time are output in the format of MMM DD HH:MM:SS. (MMM: month, DD: day, HH: hour, MM: minute, SS: second) The abbreviation of months (Jan to Dec) is output to MMM. For the first to ninth day of a month, a space followed by the day is output to DD. For example, if it is the first day of a month, the output is " 1". |
3 |
Detected location |
"GUM" is output for a host name. |
4 |
Program name |
"Storage" is output for the detection entity identifier. |
5 |
Unified specification identification |
"CELFSS" is output for the unified specification identifier. |
6 |
"1.1" is output for the revision number of the unified specification. | |
7 |
Message identification |
The serial number of the syslog header information is output. |
8 |
Message ID (No output because it is unused.) | |
9 |
Date, time#21 |
The date, time, and the time difference from UTC (Universal Time Coordinated) are output in the format of YYYY-MMDDThh: mm:ss.s ±hh:mm. (YYYY: year, MM: month, DD: day, hh: hour, mm: minute, ss.s: second, hh: hour of the time difference, mm: minute of the time difference). However, if there is no time difference from UTC, "Z" is output for "±hh:mm" such as 2016-12-T23:06:58.0Z. "ss.s" (Output format of second) means the first decimal point is output. |
10 |
Detection entity |
"Storage" is output for the detection entity identifier. |
11 |
Detected location |
"GUM" is output as a host name. |
12 |
Type of audit event |
The category name of the audit event is output. The actual category names and examples of the events are as follows:
|
13 |
Result of audit event |
The result of the audit event is output as follows.
"xxxx-yyyyy" shows an error code. This error code is not shown in the result of the audit event if the operation is performed from Maintenance PC or by the command from a host. |
14 |
Subject identification |
The user name is output in the format of "uid=user name".
|
15 |
Hardware identification |
The ID that identifies the model name of the product (HM850) and the serial number (six digit number: 400001 to 499999) are punctuated with a colon (:) and output. For example, "HM850:431234" is output if the serial number is 431234. |
16 |
Generated location |
No output because it is unused. |
17 |
Related information |
The location identification name configured in the Set Up Syslog Server for Audit Logs window is output. |
18 |
FQDN (No output because it is unused.) | |
19 |
Redundancy identification information (No output because it is unused.) | |
20 |
Agent information |
No output because it is unused. |
21 |
Host identification |
The identification information of a host sending requests is output as follows.
|
22 |
Request information |
The port that sends requests (No output because it is unused.) |
23 |
The host that receives requests (No output because it is unused.) | |
24 |
The port that receives requests (No output because it is unused.) | |
25 |
Collective operation identifier |
The collective operation identifier is a serial number with which the operation is recognized as one operation even if it outputs multiple lines. The identifier is output only when the log identification information is "BasicLog." |
26 |
Log type information |
The log type information is output as follows:
|
27 |
Application identification |
When commands are received from a host, the following are output.
|
28 |
Reserve |
Reserve #2 (No output because it is unused.) |
Notes:
|
Audit log header format (RFC5424-compliant)
No. |
Item |
Description |
1 |
Priority |
The priority value given by the following formula is output, enclosed by < >. Priority value = 8 x Facility + Severity Facility is 17 (Fixed value). Severity takes the following values, depending on the type of the log information:
For example, if Severity is Error, <140> is output for the priority value. |
2 |
Version |
"1" is output for the version number. |
3 |
Date, time1 |
The date, time, and the time difference from UTC (Universal Time Coordinated) are output in the format of YYYY-MMDDThh: mm:ss.s ±hh:mm. (YYYY: year, MM: month, DD: day, hh: time, mm: minute, ss.s: second, hh: hour of the time difference, mm: minute of the time difference). However, if there is no time difference from UTC, "Z" is output for "±hh:mm" such as 2016-12-T23:06:58.0Z. "ss.s" (Output format of second) means the first decimal point is output. |
4 |
Detected location |
"GUM" is output for a host name. |
5 |
Program name |
"Storage" is output for the detection entity identifier. |
6 |
Process name |
A hyphen (-) is output for the process name. |
7 |
Message ID |
A hyphen (-) is output for the message ID. |
8 |
Structured data |
A hyphen (-) is output for the structured data. |
9 |
Unified specification identification |
"CELFSS" is output for the unified specification identifier. |
10 |
"1.1" is output for the revision number of the unified specification. | |
11 |
Message identification |
The serial number of the syslog header information is output. |
12 |
Type of audit event |
The category name of the audit event is output. The actual category names and examples of the events are as follows:
|
13 |
Result of audit event |
The result of the audit event is output as follows.
"xxxx-yyyyy" shows an error code. This error code is not shown in the result of the audit event if the operation is performed from Maintenance PC or by the command from a host. |
14 |
Account identification |
A user name is output in the format of "uid=user name".
|
15 |
Hardware identification |
The ID that identifies the model name of the product (HM850) and the serial number (six digit number: 400001 to 499999) are punctuated with a colon (:) and output. For example, "HM850:431234" is output if the serial number is 431234. |
16 |
Related information |
The location identification name configured in the Set Up Syslog Server for Audit Logs window is output. |
17 |
Host identification |
The identification information of a host sending requests is output as follows.
|
18 |
Collective operation identifier |
The collective operation identifier is a serial number with which the operation is recognized as one operation even if it outputs multiple lines. The identifier is output only when the log identification information is "BasicLog." |
19 |
Log type information |
The log type information is output as follows:
|
20 |
Application identification |
When commands are received from a host, the following are output.
|
Notes:
|
Audit log information format (Basic information)
The same format of the audit log information (Basic information) is used by RFC3164-compliant and RFC5424-compliant. Output values of audit log information (basic information) differ by the type of the history.
Type of history |
Patten of output value |
Operations configured by the management client or Maintenance PC |
Pattern 1 |
Execution logs of remote maintenance API | |
Operations on encryption keys for encrypting stored data | |
Commands that the storage system received from hosts or computers using CCI |
Pattern 2 |
Events on encryption keys for encrypting stored data |
Mark |
Item |
Pattern 1 |
Pattern 2 |
A |
External interface name |
|
|
B |
Task name |
|
No output. |
C |
Function name |
The abbreviation of the name of the function performed during the setting operation from Device Manager - Storage Navigator, RMI AP or RM AP is output. The name of the maintenance window is output for the setting operation by Maintenance PC. For the relation between the function and the abbreviation of the output function name, see Device Manager - Storage Navigator and Maintenance PC operation. |
Commands received from the host are output as follows.
"ENC" is output for events on encryption keys. |
D |
Operation name or event name |
The operation name or event name that is unique to each function is output. For the relation between the GUI operation of each program product and the operation name output to audit logs, see GUID-41BC9603-1370-4EA6-B116-1929CC7B0EB5 and the following sections. For the relation between the operation on Maintenance PC and the operation name output to audit logs, see GUID-EEF2CD47-0A4C-417B-8177-C9402381E423 and the following sections. For details of the event names, seeReproducing/losing Audit log. |
When the function name is "User Auth", the received command is output as follows.
No output when commands, except for login or logout, are received. When the function name is "ENC", the event name is output. |
E |
Parameter |
When the configuration operation includes a parameter setting, the operation parameter is output. No detailed information is output to the parameter part of the basic information. |
No output. |
F |
Result of operation or receiving commands |
The results of the operations are output as follows.
|
The results of receiving commands are output as follows.
|
G |
Serial number |
The serial number of stored log information is output. The serial number ranges from 0000000000 to 4294967295. When the log information reaches 4,294,967,295 counts, the serial number is reset to 0000000000. |
Audit log information format (Detailed information)
The same format of audit log information (Detailed information) is used by RFC3164-compliant and RFC5424-compliant.
The indexes and setting values that indicates the set items are output to the detailed information. There are two types of the detailed information format.
Symbol |
Definition |
+ and - |
'+' or '-' displays at the beginning of a line.
|
= |
Connects an index and a setting value. |
[ ] |
When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,). Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02] |
{ } |
Details are enclosed by {}. Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}] |
( ) |
Supplementary and additional information for setting values is enclosed by ( ). Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)} |
Symbol |
Definition |
+ and - |
'+' or '-' displays at the beginning of a line.
|
{ } |
The tiering relation is indicated by the following format. Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...} |
= |
Connects an index and a setting value. |
[x] |
For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows. Setting item[x] (where x is a number: 0, 1, 2,...) |
+Copy Type=UR ++{P-VOL(Port-G-ID-LUN),S-VOL(Port-G-ID-LUN),MirrorID, S/N,CTRLID,Type,Range,Delete Mode,Result} =[{4C-0x00-0,4A-0x00-0,0x00,467676,18,P-VOL,LU,Normal, Normal end}],Num. of Pairs=1
+{iScsiPort[0]{ Port=1A, iScsiTarget[0]{ Id=0,Name="Name",Alias="Alias",UserAuthSwitch=Enable, Result=Normal end}}}
Description of log examples in this manual
The log examples in this manual contain only the basic information and detailed information of audit log information.
An audit log header appears before the basic information and each detailed information respectively.
For Detailed information format 2 above, line feeds are added to make it easy to see, while no line feed is added to the actual logs.
Format of audit log files when audit log files are transferred to the syslog server
If an audit log file is to be transferred to the syslog server, syslog header information is included in the audit log file.
The following figure shows the format of audit log files when audit log files are transferred to the syslog server.
Part |
Description | |
syslog.PRI |
The same priority is set for syslog.PRI and for the audit log header. | |
syslog.HEADER |
The syslog.HEADER includes the date and time when the syslog data was sent. | |
syslog.MSG |
Audit log header* |
See Audit log header format (RFC3164-compliant) or Audit log header format (RFC5424-compliant) . The audit log header includes the date and time when the audit event occurred. |
Audit log information |
See Audit log information format (Basic information) and Audit log information format (Detailed information) . | |
|