Audit log file format

1

Priority

The priority value given by the following formula is output, enclosed by < >.

Priority value = 8 x Facility + Severity

Facility is 17 (Fixed value).

Severity takes the following values, depending on the type of the log information:

• 4: Error (Abnormal end) or Warning (The operation partly ended abnormally or was aborted.)
• 6: Informational (Normal end)

For example, if Severity is Error, <140> is output for the priority value.

2

Date, time¹

The date and time are output in the format of MMM DD HH:MM:SS. (MMM: month, DD: day, HH: hour, MM: minute, SS: second)

The abbreviation of months (Jan to Dec) is output to MMM.

For the first to ninth day of a month, a space followed by the day is output to DD.

For example, if it is the first day of a month, the output is " 1".

3

Detected location

"GUM" is output for a host name.

4

Program name

"Storage" is output for the detection entity identifier.

5

Unified specification identification

"CELFSS" is output for the unified specification identifier.

6

"1.1" is output for the revision number of the unified specification.

7

Message identification

The serial number of the syslog header information is output.

8

Message ID (No output because it is unused.)

9

Date, time#2¹

The date, time, and the time difference from UTC (Universal Time Coordinated) are output in the format of YYYY-MMDDThh: mm:ss.s ±hh:mm. (YYYY: year, MM: month, DD: day, hh: hour, mm: minute, ss.s: second, hh: hour of the time difference, mm: minute of the time difference).

However, if there is no time difference from UTC, "Z" is output for "±hh:mm" such as 2016-12-T23:06:58.0Z. "ss.s" (Output format of second) means the first decimal point is output.

10

Detection entity

"Storage" is output for the detection entity identifier.

11

Detected location

"GUM" is output as a host name.

12

Type of audit event

The category name of the audit event is output. The actual category names and examples of the events are as follows:

• Authentication: Authentication etc. to RMI
• ConfigurationAccess: Configuration from Device Manager - Storage Navigator, Maintenance PC, hosts or CCI
• Maintenance: Configuration on Maintenance PC
• ExternalService: Remote maintenance operation

13

Result of audit event

The result of the audit event is output as follows.

• Success: Normal end (The operation ended normally.)
• Failed: Error (xxxx-yyyy) (The operation ended abnormally.)
• Failed: Warning (xxxx-yyyy) (The operation partly ended abnormally or was aborted.)

"xxxx-yyyyy" shows an error code. This error code is not shown in the result of the audit event if the operation is performed from Maintenance PC or by the command from a host.

14

Subject identification

The user name is output in the format of "uid=user name".

• "DKCMaintenance" is output for the operation from Maintenance PC.
• "Host" is output for the command from a host.

15

Hardware identification

The ID that identifies the model name of the product (HM850) and the serial number (six digit number: 400001 to 499999) are punctuated with a colon (:) and output.

For example, "HM850:431234" is output if the serial number is 431234.

16

Generated location

No output because it is unused.

17

Related information

The location identification name configured in the Set Up Syslog Server for Audit Logs window is output.

18

FQDN (No output because it is unused.)

19

Redundancy identification information (No output because it is unused.)

20

Agent information

No output because it is unused.

21

Host identification

The identification information of a host sending requests is output as follows.

• Operations of Device Manager - Storage Navigator: IP address (IPv4 or IPv6)^{2, 3}
• Operations of RMI AP

  IP address (IPv4 or IPv6) : When an IP address is specified by external application.

  host name: When a host name is specified by external application.

• CCI operation

  A host name is output for authenticated hosts.

  A WWN is output for unauthenticated hosts.

  IP addresses of GUM are output if operations are performed from CCI of the embedded CLI.

• An IP address is output for the CHAP authentication.
• No output for operation logs of RM AP and GUM AP.
• No output for event logs on the encryption keys.

22

Request information

The port that sends requests (No output because it is unused.)

23

The host that receives requests (No output because it is unused.)

24

The port that receives requests (No output because it is unused.)

25

Collective operation identifier

The collective operation identifier is a serial number with which the operation is recognized as one operation even if it outputs multiple lines.

The identifier is output only when the log identification information is "BasicLog."

26

Log type information

The log type information is output as follows:

• BasicLog: Basic information
• DetailLog: Detailed information

27

Application identification

When commands are received from a host, the following are output.

• ID that the host and storage system use internally
• 0x0000: When receiving commands from other storage systems.
• No output for events on CHAP, Computers using CCI, or encryption keys.

28

Reserve

Reserve #2 (No output because it is unused.)

Notes:

1. If a LAN failure etc. occurs on the storage system, the data and time might be the accumulated time since January 1, 1970.
2. The IP address might indicate that of a proxy server, router, or remote desktop client, depending on the connected network configuration.
3. When IPv4 and IPv6 are available for communication from the management client to the SVP or management client, even if an IPv6 address of the SVP or management client is designated by the browser of the management client, IPv4 is used for communication by operations from the sub window of Device Manager - Storage Navigator, and an IPv4 address is output to the audit log.

1

Priority

The priority value given by the following formula is output, enclosed by < >.

Priority value = 8 x Facility + Severity

Facility is 17 (Fixed value).

Severity takes the following values, depending on the type of the log information:

• 4: Error (Abnormal end) or Warning (The operation partly ended abnormally or was aborted.)
• 6: Informational (Normal end)

For example, if Severity is Error, <140> is output for the priority value.

2

Version

"1" is output for the version number.

3

Date, time¹

The date, time, and the time difference from UTC (Universal Time Coordinated) are output in the format of YYYY-MMDDThh: mm:ss.s ±hh:mm. (YYYY: year, MM: month, DD: day, hh: time, mm: minute, ss.s: second, hh: hour of the time difference, mm: minute of the time difference).

However, if there is no time difference from UTC, "Z" is output for "±hh:mm" such as 2016-12-T23:06:58.0Z.

"ss.s" (Output format of second) means the first decimal point is output.

4

Detected location

"GUM" is output for a host name.

5

Program name

"Storage" is output for the detection entity identifier.

6

Process name

A hyphen (-) is output for the process name.

7

Message ID

A hyphen (-) is output for the message ID.

8

Structured data

A hyphen (-) is output for the structured data.

9

Unified specification identification

"CELFSS" is output for the unified specification identifier.

10

"1.1" is output for the revision number of the unified specification.

11

Message identification

The serial number of the syslog header information is output.

12

Type of audit event

The category name of the audit event is output. The actual category names and examples of the events are as follows:

• Authentication: Authentication etc. to RMI
• ConfigurationAccess: Configuration from Device Manager - Storage Navigator, Maintenance PC, hosts or CCI
• Maintenance: Configuration on Maintenance PC
• ExternalService: Remote maintenance operation

13

Result of audit event

The result of the audit event is output as follows.

• Success: Normal end (The operation ended normally.)
• Failed: Error (xxxx-yyyy) (The operation ended abnormally.)
• Failed: Warning (xxxx-yyyy) (The operation partly ended abnormally or was aborted.)

"xxxx-yyyyy" shows an error code. This error code is not shown in the result of the audit event if the operation is performed from Maintenance PC or by the command from a host.

14

Account identification

A user name is output in the format of "uid=user name".

• "DKCMaintenance" is output for the operation from Maintenance PC.
• "Host" is output for the commands from a host.

15

Hardware identification

The ID that identifies the model name of the product (HM850) and the serial number (six digit number: 400001 to 499999) are punctuated with a colon (:) and output.

For example, "HM850:431234" is output if the serial number is 431234.

16

Related information

The location identification name configured in the Set Up Syslog Server for Audit Logs window is output.

17

Host identification

The identification information of a host sending requests is output as follows.

• Operations of Device Manager - Storage Navigator: IP address (IPv4 or IPv6)^{2, 3}
• Operations of RMI AP

  IP address (IPv4 or IPv6) : When an IP address is specified by external application.

  host name: When a host name is specified by external application.

• CCI operation

  A host name is output for authenticated hosts.

  A WWN is output for unauthenticated hosts.

  IP addresses of GUM are output if operations are performed from CCI of the embedded CLI.

• An IP address is output for the CHAP authentication.
• No output for operation logs of RM AP and GUM AP.
• No output for event logs on the encryption keys.

18

Collective operation identifier

The collective operation identifier is a serial number with which the operation is recognized as one operation even if it outputs multiple lines.

The identifier is output only when the log identification information is "BasicLog."

19

Log type information

The log type information is output as follows:

• BasicLog: Basic information
• DetailLog: Detailed information

20

Application identification

When commands are received from a host, the following are output.

• ID that the host and storage system use internally
• 0x0000: When receiving commands from other storage systems.
• No output for events on CHAP, Computers using CCI, or encryption keys.

Notes:

1. If a LAN failure etc. occurs on the storage system, the data and time might be the accumulated time since January 1, 1970.
2. The IP address might indicate that of a proxy server, router, or remote desktop client, depending on the connected network configuration.
3. When IPv4 and IPv6 are available for communication from the management client to the SVP or management client, even if an IPv6 address of the SVP or management client is designated by the browser of the management client, IPv4 is used for communication by operations from the sub window of Device Manager - Storage Navigator, and an IPv4 address is output to the audit log.

Operations configured by the management client or Maintenance PC

Pattern 1

Execution logs of remote maintenance API

Operations on encryption keys for encrypting stored data

Commands that the storage system received from hosts or computers using CCI

Pattern 2

Events on encryption keys for encrypting stored data

A

External interface name

• RMI AP: Logs of Remote Method Invocation Application (RMI AP)
• MPC: Logs of Maintenance PC
• GUM: Logs of Maintenance Utility
• RM AP: Logs of Remote Maintenance Application (RM AP)
• GUM AP: Logs of Maintenance Utility Application (GUM AP)
• No output for Create File (Event name) of AuditLog (Function name).

• In-band OPEN: Host
• Out-of-band: Computer using CCI
• No output for events on encryption keys

B

Task name

• The task name is output to an operation log that is registered in the Device Manager - Storage Navigator tasks.
• No task name is output to an operations log that is not registered in the Device Manager - Storage Navigator tasks.

No output.

C

Function name

The abbreviation of the name of the function performed during the setting operation from Device Manager - Storage Navigator, RMI AP or RM AP is output.

The name of the maintenance window is output for the setting operation by Maintenance PC.

For the relation between the function and the abbreviation of the output function name, see Device Manager - Storage Navigator and Maintenance PC operation.

Commands received from the host are output as follows.

• User Auth: User authentication command
• Config Command: Configuration change command
• CHAP: Device authentication command

"ENC" is output for events on encryption keys.

D

Operation name or event name

The operation name or event name that is unique to each function is output.

For the relation between the GUI operation of each program product and the operation name output to audit logs, see GUID-41BC9603-1370-4EA6-B116-1929CC7B0EB5 and the following sections. For the relation between the operation on Maintenance PC and the operation name output to audit logs, see GUID-EEF2CD47-0A4C-417B-8177-C9402381E423 and the following sections.

For details of the event names, seeReproducing/losing Audit log.

When the function name is "User Auth", the received command is output as follows.

• Login: Receipt of the login command
• Logout: Receipt of the logout command

No output when commands, except for login or logout, are received.

When the function name is "ENC", the event name is output.

E

Parameter

When the configuration operation includes a parameter setting, the operation parameter is output.

No detailed information is output to the parameter part of the basic information.

No output.

F

Result of operation or receiving commands

The results of the operations are output as follows.

• Normal end: The operation ended normally.
• Warning (xxxx-yyyyy): The operation partly ended abnormally or was aborted.
• Error (xxxx-yyyyy): The operation ended abnormally. "xxxxx-yyyyyy" shows an error code.

  See Hitachi Device Manager - Storage Navigator Messages for the error codes.

  No error code is added to the result of the operation that is not a Device Manager - Storage Navigator operation.

The results of receiving commands are output as follows.

• Normal end: User authentication or CHAP authentication ended normally, or the event on encryption keys occurs.
• Error: User authentication or CHAP authentication ended abnormally.
• Accept: Commands from a host are received.
• Reject: Commands from a host are rejected.

G

Serial number

The serial number of stored log information is output.

The serial number ranges from 0000000000 to 4294967295.

When the log information reaches 4,294,967,295 counts, the serial number is reset to 0000000000.

+ and -

'+' or '-' displays at the beginning of a line.

• '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.
• '-' means that the line continues from the previous one.

=

Connects an index and a setting value.

[ ]

When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,).

Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02]

{ }

Details are enclosed by {}.

Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}]

( )

Supplementary and additional information for setting values is enclosed by ( ).

Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)}

+ and -

'+' or '-' displays at the beginning of a line.

• '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.
• '-' means that the line continues from the previous one.

{ }

The tiering relation is indicated by the following format.

Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...}

=

Connects an index and a setting value.

[x]

For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows.

Setting item[x] (where x is a number: 0, 1, 2,...)

syslog.PRI

The same priority is set for syslog.PRI and for the audit log header.

syslog.HEADER

The syslog.HEADER includes the date and time when the syslog data was sent.

syslog.MSG

Audit log header*

See Audit log header format (RFC3164-compliant) or Audit log header format (RFC5424-compliant) . The audit log header includes the date and time when the audit event occurred.

Audit log information

See Audit log information format (Basic information) and Audit log information format (Detailed information) .

• *

  If the format of the audit log header is RFC3164-compliant, syslog.PRI, syslog.HEADER, and syslog.MSG will be sent in an RFC3164-compliant format.

  If the format of the audit log header is RFC5424-compliant, syslog.PRI, syslog.HEADER, and syslog.MSG will be sent in an RFC5424-compliant format.

  The following figure shows an example of data when an audit log file is transferred the syslog server.