Skip to main content
Close

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Logging

  1. Last updated
  2. Save as PDF

You can track operations, monitor security, and investigate potential errors using the audit logs created by the SVP.

Child Topics

Introduction

Audit logs are created on the Service Processor (SVP) computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.

Parent Topic
  • Logging

    You can track operations, monitor security, and investigate potential errors using the audit logs created by the SVP.

Child Topics

Overview

The audit log is an important tool that you can use to keep track of operations, to monitor security, to investigate the cause of errors, and to avoid potential errors.

Audit logs are created on the SVP computer in the storage system. You can access the audit logs that are output by the SVP, but the SVP is accessible only by support personnel.

Audit logs store the following histories:

  • Operations performed from a Device Manager - Storage Navigator computer or an SVP.
  • Commands that the storage system received from a host, a computer using CCI, or a host using Business Continuity Manager.
  • Operations and events about encryption keys for data encryption.

The history may not be output in chronological order. This history includes the user, the time of the operation, the name of the operation, any parameters set, and the end result (normal completion or error message). Each audit log file ends with a serial number, from 0,000,000,000 to 4,294,967,295. When the number reaches 4,294,967,295, it resets and starts over at 0,000,000,000.

There are two types of audit log files:

  • Audit log file, which consists of two files:
    • Auditlog information file 1 contains operations performed from the Device Manager - Storage Navigator computer or SVP, and operations about encryption keys.
    • Auditlog information file 2 contains commands sent from a host, a computer using CCI, or a host using Business Continuity Manager, and events about encryption keys.

    You can download them to your Device Manager - Storage Navigator computer or transfer to a primary or secondary FTP server.

  • Syslog file. This file contains the audit log. You can download it to your Device Manager - Storage Navigator computer or transfer it to a primary or secondary syslog server.

    The syslog file has two types of formats: RFC3164-compliant and RFC5424-compliant. You can select either of the formats when downloading syslog files and transferring syslog files to syslog servers.

Parent Topic

Features

The audit log feature stores a history of all operations performed on a computer using the Device Manager - Storage Navigator feature. This history includes the user, the time of the operation, the name of the operation, any parameter set, and the end result (normal completion or error message). The audit log file records until full and then starts over, rerecording from the beginning of the file.

Parent Topic

Audit Log file description

The following table describes the audit log file components:

Component

Audit Log File

Syslog File

File Type

Text format.

Auditlog information file 1

Auditlog information file 2

Files are compressed in tgz format.

Text format.

In syslogYYYYMMDD.tgz, there are syslog-svp.log (audit log file for SVP) and syslog-dkc.log (audit log file for DKC).

Downloaded File Name

audit-SVPYYYYMMDD.tgz or

audit-DKCYYYYMMDD.tgz

where

YYYY = year

MM = month

DD = day

The file name can be changed when downloading.

syslogYYYYMMDD.tgz

where

YYYY = year

MM = month

DD = day

The file name can be changed when downloading.

File Name Transferred to the FTP Server

Audit-SVPSSSSSYYYYMMDDHHMMSS.tgz or

Audit-DKCSSSSSYYYYMMDDHHMMSS.tgz

where

SSSSS = serial number

YYYYMMDD = date of the transfer

HHMMSS = hour (HH), minute (MM) and second (SS) of the transfer

The output folder must be specified in the FTP tab on the Edit Audit log Settings window.

N/A

Linefeed Codes

CR + LF

The standard linefeed codes for Windows. Some text editors cannot display these codes correctly.

LF

The standard linefeed codes for UNIX. Some text editors cannot display these codes correctly.

File Output

Contains login and logout information as well as basic and detailed information about settings made for each option.

  • Basic information consists of information common to each audit log.
  • Detailed information consists of information about the operations of each executed option. This includes an index representing each item and its values.

Contains the same information as released to the audit log file. However the output format differs between the audit log file and syslog file. (some items are output to the syslog file only.)

Maximum Line Size

1,024 bytes

1,024 bytes

Maximum Number of Lines

250,000 lines

250,000 lines

Maximum Size of Files

122.5 MB

488.2 MB

When Reaching the Maximum Number of Lines

The newest data overwrites the oldest data (wrap around).

GUID-58501DA6-6805-45F0-A384-E29E64D1E751-low.png is shown on the Device Manager - Storage Navigator main window.

The newest data overwrites the oldest data (wrap around).

Also, the following log is output in the syslog file.

  • [AuditLog], Over MaxLine

Threshold of the Maximum Number of Lines and When Reaching Threshold

The threshold value is 70% (175,000 lines) of the maximum number of lines.

  • If the audit log information reaches the threshold, a warning message urging you to download the audit log file appears when you log in Device Manager - Storage Navigator. Also, GUID-C3BC5545-E30B-454C-A4E3-0104D1F975E1-low.png is shown on the Device Manager - Storage Navigator main window.
  • If you set to transfer files to an FTP server, the audit log file will be automatically transferred to the FTP server when the information stored in the audit log file reaches the threshold.
  • Once you download or transfer the audit log file, the counter is reset and monitoring will start from 0% again.

The threshold value is 70% (175,000 lines) of the maximum number of lines.

When the audit log information reaches the threshold, the following log is output in the syslog file.

  • [AuditLog], Over Threshold

If this log is output, download the file as necessary before old information is overwritten. Once you download the file, the counter is reset and monitoring will start from 0% again.

Parent Topic

Audit log file format

The following figures show sample audit log files:

Audit Log File 1 (SVP) GUID-1E972268-DCEE-4D2A-AAEF-F98FD84888B9-low.png
Audit Log File 2 (DKC) GUID-B97FB664-C6F1-4FF9-ABED-C1FE7B526A66-low.png
Basic Information

Each item output in the audit log information file is delimited by commas (,).

No.

Item

File 1 (SVP)

File 2 (DKC)

GUID-B0DC424D-70DF-4726-AC03-0AF103B7EA51-low.gif

Version

XXYY indicates the model name (XX) and the version number in audit log output format (YY). When the output format is changed, the value of YY is updated.

See Log output formats for different versions for the changed contents of XXYY.

Same as File 1.

GUID-BBEC18BD-4C33-4178-8E12-9A82906762CB-low.gif

Date

YYYYMMDD indicates the year, month, and day the audit log was created.

A date and a time being set on the SVP are output as log data. If a failure, such as an SVP failure and a LAN failure, occurs in the storage system, the data and the time may be output of the accumulated date and time since January 01, 1970.

Same as File 1.

GUID-30CD7BA2-0B56-443A-9E68-B58830019FAF-low.gif

Time

HH:MM:SS.xxx indicates the hour, minute, second, and millisecond the audit log was created.

Same as File 1.

GUID-E56F7B9C-E1A0-4C46-A06F-CD2BE99C40D0-low.gif

Time zone

The time difference between Coordinated Universal Time (UTC) and the local time displays as "±HH:MM" (HH: hour, MM: minute).

For example;

"+09:00", "-08:00", "00:00"

Same as File 1.

GUID-8EB0A117-236B-4F32-B309-E10F89DA965D-low.gif

Interface

  • RMI AP indicates the log for Device Manager - Storage Navigator and Remote Method Invocation Applications such as Hitachi Command Suite (HCS).
  • SVP indicates the log for the SVP.
  • RM AP indicates the log for Remote Maintenance Application.
  • In-band OPEN: Logs for commands received from open-system hosts, or FC-SP authentication logs
  • In-band MF: Logs for commands received from mainframe-system hosts
  • Out-of-band: Logs for commands received from computers using CCI
  • No output for the event logs about encryption keys.

GUID-90AB24DD-3A00-4F49-AC5B-FA025C38D2FF-low.gif

Login user Name

  • A user name is output for Device Manager - Storage Navigator, RMI AP or SVP operations.
  • <System> is output when the storage system detects the failure.
  • No output for RM AP operations.
  • A user name is output for commands received by a command device for authentication. A numeric value may be output as a user name for commands during SVP is running.
  • <Host> is output for other operations.
  • <system> is output for the event about encryption keys.

GUID-C6F83511-3C3A-4C6F-B72D-29B2D396C74A-low.gif

Connection number

  • 0 - 161 indicate Device Manager - Storage Navigator or SVP connection ID.
  • 162 - 193 indicate Hitachi Command Suite and RMI AP connection ID.
  • 194 indicates SMI-S(RMI) connection ID.
  • No output for RM AP operations.
  • No output when the login user name is <System>.
  • 195 - 706 indicate a connection number assigned when a command device for authentication received the command.
  • No output for other operations.

GUID-157D1856-67C5-41F3-807C-7A1EAA7982E2-low.gif

Task name

Task name specified when a task is registered. No task name is output when a user performs operations using the Device Manager - Storage Navigator secondary window.

No output.

GUID-59224282-ED56-417F-807B-69A7F8B157F8-low.gif

Function name

The abbreviation indicating the function that performed the operation.

  • Maintenance window name is output for SVP operations.
  • User Auth indicates an user authentication command.
  • FC-SP indicates a device authentication command.
  • Config Command indicates a configuration changing command.
  • [ENC] is output for the event about encryption keys.

GUID-E1FB0B00-82DE-45D9-A81A-E28B35802F86-low.gif

Operation or event name

The operation or event name.

The following items are output only when Function name is User Auth. No output for other operations.

  • Login indicates that a log-in command is received.
  • Logout indicates that a log-out command is received.

The event name is output when the function name is [ENC].

GUID-A1C62444-9492-44B0-AD89-930372342878-low.gif

Parameters

Parameters for certain functions.

No output.

GUID-D0A85DFD-1606-43DA-BAF9-F7CE2577665E-low.gif

Result

The result of your operation.

  • Normal end. The operation has ended normally.
  • Error (xxxx-yyyyy). The operation has ended abnormally.
  • Warning (xxxx-yyyyy). The operation has partly ended abnormally or was canceled during the operation.

xxxxx-yyyyyy is an error code. xxxxx is a part code of four or five digits showing where the error occurs. yyyyyy is a message ID of four, five, or six digits. For more information about error codes, see Hitachi Device Manager - Storage Navigator Messages. Note that error codes "xxxx-yyyyy" appear only for Device Manager - Storage Navigator operations.

The result of the received commands.

  • Normal end. The authentication has ended normally, or the event about encryption keys occurs.
  • Error. The authentication has ended abnormally.
  • Accept. Received the commands from the host.
  • Reject. Rejected the commands from the host.

GUID-52C8245A-F912-4B80-A35A-14759E149E9C-low.gif

Host Identifica- tion

An IP address (IPv4 or IPv6) is output for Device Manager - Storage Navigator, RMI AP and SVP operations. The IP address may be that of the proxy server or the router depending on the configuration of the connected network.

No output for RM AP operations. No output when the login user name is <System>.

If both IPv4 and IPv6 are available for communication between the Device Manager - Storage Navigator computer and the SVP, but the Device Manager - Storage Navigator secondary window uses IPv4 communication. In this case, IPv4 addresses are output to audit logs.

  • A WWN is output for unauthenticated open-system host.

    When a command is received from a different storage system, a WWN for the storage system sending the command is output.

  • A host name is output for authenticated open-system hosts.
  • A serial number is output for main-frame system hosts.

    When a command is received from a different storage system, a serial number for the storage system sending the command is output.

  • A host name is output for computers using CCI.
  • A WWN is output for the FC-SP authentication.
  • No output for the event about encryption keys.

GUID-8139700F-1004-4115-B1F3-7617D2E33DD0-low.gif

Application Identifica-tion

No output.

  • An internal-use ID is output for open-system hosts.
  • An LPR number is output for mainframe system hosts.
  • 0x0000 is output if a command comes from other storage system.
  • No output for other commands.

No output for the FC-SP authentication, computers using CCI, hosts using Business Continuity Manager or the event about encryption keys.

GUID-E2A7A8BC-080E-4CE0-9C3E-08D920A7D425-low.gif

Serial number

The serial number of the saved log information (0000000000 to 4294967295). When the number reaches 4,294,967,295, it is reset to 0000000000.

Same as File 1.

Detailed Information

The indexes and setting values that indicates the set items are output to the detailed information. There are two types of the detailed information format.

Detailed information format 1

Example: 

+Copy Type=TI
++{P-VOL(LDKC:CU:LDEV),S-VOL(LDKC:CU:LDEV),PoolID,MU,
Snapshot Group,Result}
=[{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,1,SnapshotSet1,Normal end},
{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,,SnapshotSet2,Error(xxxx-yyyy)}],
Num. of Pairs=2

Symbol

Definition

+ and -

'+' or '-' displays at the beginning of a line.

'+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.

'-' means that the line continues from the previous line.

=

Connects an index and a setting value.

[ ]

When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,).

Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02]

{ }

Details are enclosed by {}.

Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}]

( )

Supplementary and additional information for setting values are enclosed by ( ).

Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)}

Note
  • If there is an item that is not specified when entering commands or performing operations, a hyphen (-) is output for its setting value, no setting value is output, or the index itself is not output.
  • For audit logs generated by commands sent from hosts, computers using CCI, or hosts using Business Continuity Manager, if an invalid value is specified when entering commands, numerical characters might be output in the index for character strings and vice versa.
  • For audit logs generated by events related to encryption keys, if an audit log to be output contains invalid values, numerical characters might be output in the index for character strings or nothing is output for detailed information.
  • For audit logs output in Audit log information file 2 (DKC), values different from the specified ones might be output because optimal values might be automatically assigned in DKC.
Detailed information format 2

Example: 

+{Alus[0]{
  Id="60-06-0E-81-30-76-D9-30-76-D9-00-00-00-00-00-49",
  Result=Normal end,LdevId=0x00:0x00:0x49}}
NoteLine feeds are added to make the example easy to see, while no line feed is added to the actual logs.

Symbol

Definition

+ and -

'+' or '-' displays at the beginning of a line.

  • '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.
  • '-' means that the line continues from the previous one.

{ }

The tiering relation is indicated by the following format.

Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...}

=

Connects an index and a setting value.

[x]

For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows.

Setting item[x] (where x is a number: 0, 1, 2,...)

NoteIf there is an item that is not specified when entering commands or performing operations, "null" is output for its setting value, or the index itself is not output.
Parent Topic

Log output formats for different versions

Version number

Changes

0802

The log output format for DKCMAIN program version 80-01-2x-xx/xx (xx is a two-digit number.) or later.

0803

The log output format for DKCMAIN program version 80-01-4x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0802. There are no changes to other log formats.

  • Output format of the detailed information for [Remote Replication] Create Pairs
  • Output format of the detailed information for [Remote Replication] Delete Pairs
  • Output format of the detailed information for [Remote Replication] Edit Options
  • Output format of the detailed information for [Remote Replication] Resync Pairs

0804

The log output format for DKCMAIN program version 80-02-0x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0803. There are no changes to other log formats.

  • Output format of the detailed information for [PROV] Create/Expand Pools
  • Output format of the detailed information for [PROV] Edit/Delete Pools

0805

The log output format for DKCMAIN program version 80-02-2x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0804. There are no changes to other log formats.

  • Changed the function name from [BASE] Edit System Options to [BASE] Advanced Settings

0806

The log output format for DKCMAIN program version 80-02-4x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0805. There are no changes to other log formats.

  • Output format of the detailed information for [BASE] Login
  • Output format of the detailed information for [Install] Set Subsystem Time
  • Output format of the detailed information for [PROV] Create LDEVs
  • Output format of the detailed information for [User Auth] Login

0807

The log output format for DKCMAIN program version 80-03-0x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0806. There are no changes to other log formats.

  • Output format of the detailed information for [Information] ORM Value

0808

The log output format for DKCMAIN program version 80-03-3x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0807. There are no changes to other log formats.

  • Output format of the detailed information for [Local Replication] Edit Options
  • Output format of the detailed information for [PROV] Create LDEVs
  • Output format of the detailed information for [PROV] Create/Expand Pools
  • Output format of the detailed information for [PROV] Edit/Delete Pools
  • Output format of the detailed information for [UVM] Add External Volumes

0809

The log output format for DKCMAIN program version 80-04-0x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0808. There are no changes to other log formats.

  • Output format of the detailed information for [Install] Install
  • Output format of the detailed information for [Local Replication] Edit Options
  • Output format of the detailed information for [PROV] Create LDEVs
  • Output format of the detailed information for Config Command (Open system) and Config Command (Mainframe system)

0810

The log output format for DKCMAIN program version 80-04-2x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0809. There are no changes to other log formats.

  • Output format of the detailed information for [Local Replication] Edit Options
  • Output format of the detailed information for [PROV] Edit Tiering Policy
  • Changed the operation name from [UVM] Edit External WWNs to Edit External WWNs / iSCSI Targets
  • Output format of the detailed information for [UVM] Add External Volumes, Disconnect ES Paths, Edit ES Path Config, and Reconnect ES Paths
  • Output format of the detailed information for [Config Command] Pairsplit-S(RemoteCopy)

0811

The log output format for DKCMAIN program version 80-05-0x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0810. There are no changes to other log formats.

  • Output format of the detailed information for [Install] Install
  • Output format of the detailed information for [Install] Remove
  • Output format of the detailed information for [Local Replication] Create Pairs
  • Output format of the detailed information for [Local Replication] Split Pairs
  • Output format of the detailed information for [PROV] Create LDEVs
  • Output format of the detailed information for [PROV] EditPortInfo
  • Output format of the detailed information for Add CHAP User
  • Output format of the detailed information for Add Ldev(Dynamic Provisioning)
  • Output format of the detailed information for Add Snapshot
  • Output format of the detailed information for Add SPM Group
  • Output format of the detailed information for Add SPM WWN
  • Output format of the detailed information for Delete CHAP User
  • Output format of the detailed information for Modify Pool(Data Direct Mapping)
  • Output format of the detailed information for Modify Port(iSCSI)
  • Output format of the detailed information for Reset CHAP User
  • Output format of the detailed information for Reset Ldev Priority
  • Output format of the detailed information for Set CHAP User
  • Output format of the detailed information for Set Ldev Priority
  • Output format of the detailed information for Add Pair when SIMF is specified to the copy type

0812

The log output format for DKCMAIN program version 80-06-0x-xx/xx (xx is a two-digit number.) or later. The following formats are changed from version number 0811. There are no changes to other log formats.

  • Output format of the detailed information for [Remote Replication] Add Quorum Disk ID
  • Output format of the detailed information for [Remote Replication] Del Quorum Disk ID
Parent Topic

Syslog file format
Parent Topic
Child Topics

Syslog file format (RFC3164-compliant)

The following figure shows a sample syslog file.

GUID-B1CF24E4-74BD-42BD-88E4-7A8CB8257DD7-low.png

Item 29 and 30 are output either one of them in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 X Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means the operation has ended abnormally. Warning means the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, <12> indicates the priority when the severity is error.

2

Date, time*

The date and time in the format of "MMM DD HH:MM:SS" (MMM: month such as Jan or Dec, DD: day, HH: hour, MM: minute and SS: second).

If the "DD" is a single digit (for example, 1), it is displayed as " 1" (with a blank space before "1") and not as "01".

3

Detected location

The host name (SVP).

4

Program name

The detection entity identifier (Storage).

5

Unified specification identification

The Unified specification identifier (CELFSS).

6

The revision number of the Unified specification document (1.1).

7

Message identification

The serial number of the syslog header information.

8

No output

9

Date, time#2*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DD-Thh:mm:ss.s ± hh:mm".

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place.
  • ± hh:mm: hours and minute of the time difference. "Z" is displayed instead of "± hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T:23:06:58.0Z".

10

Detection entity

The detection entity identifier (Storage).

11

Detected location

The host name (SVP).

12

Type of audit event

The category name of the event.

  • Authentication of RMI, FC-SP, or Device Manager - Storage Navigator.
  • ConfigurationAccess indicates setting from Device Manager - Storage Navigator, SVP or host.
  • Maintenance indicates SVP operations.
  • AnomalyEvent indicates reached the maximum of the Audit Log, etc.
  • ExternalService indicates remote maintenance operations through SVP.

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Subject identification

The user name in the format of "uid=user name".

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.
  • A numeric value may be output as a user name for commands during SVP is running.

15

Hardware identification

The ID (R800) to identify the model name of the product and the serial number divided by a colon.

16

Generated location

No output.

17

Related information

The location identification name set by the user in the Syslog tab on Edit Audit Log Settings window.

18

No output.

19

No output.

20

Agent information

No output.

21

Detailed information

Identification of the host sending the request.

This information is output when a command is received from the host unless it is FC-SP authentication.

22

No output.

23

No output.

24

No output.

25

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

Outputs only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

26

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

27

Identification of the application. This information is output when commands are sent from the host.

28

No output.

29

The same information contained in the basic information of the audit log file, such as interface, connection number, task name, function name, operation name, parameter, result, and serial number. Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

30

The same information contained in the detailed information of the audit log file.

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the data and time may be output of the accumulated date and time since January 01, 1970.

Parent Topic

Syslog file format (RFC5424-compliant)
GUID-4E3DD436-C6C5-4692-A272-DEBF82141191-low.png

Item 21 and 22 are output either one of them in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 X Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means the operation has ended abnormally. Warning means the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, <12> indicates the priority when the severity is error.

2

Version

The version (1).

3

Date, time*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DD-Thh:mm:ss.s ± hh:mm".

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place.
  • ± hh:mm: hours and minute of the time difference. "Z" is displayed instead of "± hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T:23:06:58.0Z".

4

Detected location

The host name (SVP).

5

Program name

The detection entity identifier (Storage).

6

Process name

The process name (-).

7

Message ID

The message ID (-).

8

Structured data

The structured data (-).

9

Unified specification identification

The unified specification identifier (CELFSS).

10

The revision number of the unified specification document (1.1).

11

Message identification

The serial number of the syslog header information.

12

Type of audit event

The category name of the event.

  • Authentication of RMI, FC-SP, or Device Manager - Storage Navigator.
  • ConfigurationAccess indicates setting from Device Manager - Storage Navigator, SVP or host.
  • Maintenance indicates SVP operations.
  • AnomalyEvent indicates reached the maximum of the Audit Log, etc.
  • ExternalService indicates remote maintenance operations through SVP.

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Account identification

The user name in the format of "uid=user name".

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.
  • A numeric value may be output as a user name for commands during SVP is running.

15

Hardware identification

The ID (R800) to identify the model name of the product and the serial number divided by a colon.

16

Related information

The location identification name set by the user in the Syslog tab of Edit Audit Log Settings window.

17

Detailed information

Identification of the host sending the request.

This information is output when a command is received from the host unless it is FC-SP authentication.

18

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

Outputs only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

19

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

20

Identification of the application. This information is output when commands are sent from the host.

21

Detailed information

The same information contained in the basic information of the audit log file, such as interface, connection number, task name, function name, operation name, parameter, result, and serial number. Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

22

The same information contained in the detailed information of the audit log file.

No serial number is output when the category name is "AnomalyEvent".

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the data and time may be output of the accumulated date and time since January 01, 1970.

Parent Topic

Using audit logs

You can download audit log files and syslog files to Device Manager - Storage Navigator computer or transfer audit log files to FTP servers or syslog servers.

Parent Topic
  • Logging

    You can track operations, monitor security, and investigate potential errors using the audit logs created by the SVP.

Child Topics

Downloading audit log files

Download the audit log files to Device Manager - Storage Navigator computer to prevent the old data from being overwritten. It takes from one to five minutes to download the audit log file.

WARNINGDo not download the audit log file to the Device Manager - Storage Navigator computer if the audit log is set to be transferred to an FTP server. Some information may not be transferred to the FTP server because the line counter resets when the audit log file is manually downloaded. Download the file only when the FTP server has failed and cannot receive the audit log file. If you want to transfer the audit log to the FTP server after downloading the log, transfer it manually. See Manually transferring audit log files to FTP servers for more information.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download audit log files.

Procedure

  1. Click Audit Log on the menu bar of the Device Manager - Storage Navigator main window. The Audit Log Properties window opens. Each icon displayed on the menu bar indicates the accumulated status of the audit log information.

    • GUID-29442324-5CBA-44F3-8EFF-D647615CF1D7-low.png indicates the number of saved lines is below the threshold.
    • GUID-C3BC5545-E30B-454C-A4E3-0104D1F975E1-low.png indicates the number of saved lines is above the threshold, but the data is still being saved.
    • GUID-58501DA6-6805-45F0-A384-E29E64D1E751-low.png indicates the number of saved lines has exceeded the maximum, and data is partly lost because the newest lines were overwritten the oldest lines.

  2. Click Download (SVP) or Download (DKC) to open the Save As dialog box. Download (SVP) downloads the auditlog information file 1 and Download (DKC) downloads the auditlog information file 2.

  3. Select a destination for the file and click Save.

  4. Click Close to close the Audit Log Properties window.

Parent Topic

Downloading syslog files

Syslog files stored in the storage system can be downloaded to the Device Manager - Storage Navigator computer as necessary. It takes from one to five minutes to download the syslog file.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role to download syslog files.

Procedure

  1. Click Settings Security Edit Audit Log Settings. Select Syslog tab on the Edit Audit Log Settings window.

  2. Select Transfer Protocol. The output file format is different by the selected protocol.

  3. Click Download Syslog. The Specify the Destination dialog box appears.

  4. Enter the destination and the file name and click Save.

Parent Topic

Automatically transferring audit log files to FTP servers

If you configure FTP server settings, the audit log will be automatically transferred to the FTP server when the number of lines in the file reaches the threshold.

NoteKeep a list of the items such as the IP address you entered in the FTP tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.

Before you begin

  • You must have Audit Log Administrator (View & Modify) role to configure FTP server settings.
  • Ensure that SVP is connected to the FTP server on a LAN.

Procedure

  1. Click Settings Security Edit Audit log Settings. Select FTP tab on the Edit Audit Log Settings window.

  2. Perform the following if using a primary FTP server.

    1. Click Enable the Primary Server.

    2. Select IPv4 or IPv6 on IP Address setting and enter the IP address.

    3. Enter the user name and the password you use to log in to the primary FTP server.

    4. Enter the output folder to which the audit log file is sent with the relative path from the home directory.

  3. Perform the following if using a secondary FTP server.

    1. Click Enable the Secondary Server.

    2. Select IPv4 or IPv6 on IP Address setting and enter the IP address.

    3. Enter the user name and the password you use to log in to the secondary FTP server.

    4. Enter the output folder to which the audit log file is sent with the relative path from the home directory.

  4. Click Finish.

  5. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  6. Click Apply. The task is registered. If you check the Go to tasks window for status check box, the Task window is displayed.

  7. Manually transfer the audit log file to confirm that the FTP server setting is correct.

    1. Check that the transfer setting task to the FTP server is complete on the Task window. If the task has not completed, wait until it is complete.

    2. Transfer the audit log file to the FTP server manually to confirm that the FTP server setting is correct. For details of manual transfer, see Manually transferring audit log files to FTP servers.

Troubleshooting

A SIM notifies a storage administrator that an FTP transfer has failed. This can occur when the audit log file is not transferred to an FTP server because either the FTP server or LAN has failed. You can view the SIM in the Alerts window. The reference code for a failed FTP transfer is 7C0300. If a SIM is reported, do the following:

  • Resolve the error on the FTP server or LAN, and then manually transfer the audit log file. And then complete the SIM referring to Completing SIM generated when FTP transfer of audit log files failed.

    If the instructions in SIM is not complete, SIM will not be generated on next transfer failure.

  • If the error condition cannot be resolved, download the audit log file to the Device Manager - Storage Navigator computer by clicking Audit Log on the upper right of the Device Manager - Storage Navigator main window.

Parent Topic

Completing SIM generated when FTP transfer of audit log files failed

Before you begin

  • You must have Audit Log Administrator (View & Modify) and Storage Administrator (System Resource Management) role to complete SIM.

Procedure

  1. Click Settings Security Edit Audit log Settings. Select FTP tab on the Edit Audit Log Settings window.

  2. Select Complete SIMs check box.

  3. Click Finish.

  4. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  5. Click Apply. The task is registered. If you check the Go to tasks window for status check box, the Task window is displayed.

Parent Topic

Manually transferring audit log files to FTP servers

You can transfer the audit log file manually from the SVP to the FTP server.

Before you begin

  • You must have Audit Log Administrator (View Only) or Audit Log Administrator (View & Modify) role.
  • Ensure that SVP is connected to the FTP server on a LAN.
  • Transfer setting to the FTP server must be finished. For how to set, refer to Automatically transferring audit log files to FTP servers.

Procedure

  1. Click Settings Security Edit Audit log Settings. Select FTP tab on the Edit Audit Log Settings window.

  2. Click Transfer to Primary Server or Transfer to Secondary Server. A message appears indicating that the transfer has completed.

Parent Topic

Transferring audit log to syslog servers

If you configure syslog server settings, the audit log will always be transferred to the syslog server and stored as the syslog files.

You can select either of the following protocols to transfer the audit log to the syslog server. The output file format is different by the selected protocol.

  • TLS1.2/RFC5424
  • UDP/RFC3164
NoteWhen you use UDP/RFC3164, consider the characteristics of UDP (User Datagram Protocol) when designing a network. See http://www.ietf.org./rfc/rfc3164.txt (Request for Comments) issued by IETF (Internet Engineering Task Force) for more details.
NoteKeep a list of the items such as the IP address you entered in the Syslog tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.

Before you begin

  • You must have Audit Log Administrator (View & Modify) role to configure syslog server settings.
  • Make sure the storage system is connected to syslog servers on a LAN.
  • Make sure the syslog servers are configured so as to transfer audit logs to the syslog servers.
  • The syslog server certificate and the client certificate is required to use TLS1.2/RFC5424.
CautionIf audit logs are transferred before configuring the setting of a syslog server to which the audit logs are transferred, the logs are not saved on the syslog server and lost. See the user manual of the syslog server for the details of the syslog server setting.

Procedure

  1. Click Settings Security Edit Audit Log Settings. Select Syslog tab on the Edit Audit Log Settings window.

  2. Select New Syslog Protocol (TLS1.2/RFC5424) or Old Syslog Protocol (UDP/RFC3164).

  3. Click Enable the Primary Server.

    1. Select IPv4 or IPv6 on Server setting and enter the IP address.

    2. Enter the Port Number in the primary server setting.

    3. Enter client certificate file name, password, and root certificate file name (only when you choose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  4. Perform the following if using a secondary syslog server.

    1. Click Enable the Secondary Server.

    2. Select IPv4 or IPv6 on Server setting and enter the IP address.

    3. Enter the Port Number in the secondary server setting.

    4. Enter client certificate file name, password, and root certificate file name (only when you chose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  5. Enter the name of the storage system from which you are transferring the audit log file in Location Identification Name.

  6. If selected New Syslog Protocol (TLS1.2/RFC5424) for Transfer Protocol, specify Timeout, Retry Interval, and Number of Retries.

  7. If you want to transfer the detailed information of audit log to the syslog server, click Enable for Output Detailed Information.

  8. Click Send Test Message to Syslog Server to test the settings.

  9. Check that the test log (function name AuditLog, operation name Send Test Message) has been sent to the syslog server.

  10. Click Finish.

  11. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  12. Click Apply. The task is registered. If you check the Go to tasks window for status check box, the Task window is displayed.

  13. Confirm that the syslog server is receiving the log of syslog server setting when the task has completed. The function name of the log is "AuditLog" and the operation name is "Set Syslog Server".

    If the audit log is not received by the syslog server, check whether the set IP address and port number matches the IP address and port number of the syslog server, and make sure that the Client Certificate File Name, password, and the Root Certificate File Name are correct. If the settings are correct, check the syslog server setting. See the user manual of the syslog server for the details of the syslog server setting.
Parent Topic