Audit log file format

Audit Log User Guide for VSP 5000 Series

Version
90-08-8x
Audience
anonymous
Part Number
MK-98RD9010-12

The following figures show sample audit log files:

Audit Log File 1 (SVP)



Audit Log File 2 (DKC)



Basic Information

Each item output in the audit log information file is delimited by commas (,).

No.

Item

File 1 (SVP)

File 2 (DKC)

Version

XXYY indicates the model name (XX) and the version number in audit log output format (YY). When the output format is changed, the value of YY is updated.

See Log output formats for different versions for the changed contents of XXYY.

Same as File 1.

Date

YYYYMMDD indicates the year, month, and day the audit log was created.

A date and a time being set on the SVP are output as log data. If a failure, such as an SVP failure and a LAN failure, occurs in the storage system, the data and the time may be output of the accumulated date and time since January 01, 1970.

YYYYMMDD indicates the year, month, and day the audit log was created.

A date and a time that were received from the storage system are output as log data.

Time

HH:MM:SS.xxx indicates the hour, minute, second, and millisecond the audit log was created.

Same as File 1.

Time zone

The time difference between Coordinated Universal Time (UTC) and the local time is displayed as "±HH:MM" (HH: hour, MM: minute).

For example:

"+09:00", "-08:00", "00:00"

Same as File 1.

Interface

  • RMI AP indicates the log for Device Manager - Storage Navigator and Remote Method Invocation Applications such as Hitachi Command Suite (HCS).
  • SVP indicates the log for the SVP.
  • RM AP indicates the log for Remote Maintenance Application.
  • GUM indicates the log for Maintenance Utility
  • In-band OPEN: Logs for commands received from open-system hosts, or FC-SP authentication logs
  • In-band MF: Logs for commands received from mainframe-system hosts
  • Out-of-band: Logs for commands received from computers using CCI
  • No output for the event logs about encryption keys.

Login user Name

  • A user name is output for Device Manager - Storage Navigator, RMI AP or SVP operations.
  • <System> is output when the SVP detects the failure.
  • No output for RM AP operations.
  • A user name is output for commands received by a command device for authentication.
  • <Host> is output for other commands.
  • <system> is output for the event about encryption keys.

Task name

Task name specified when a task is registered. No task name is output when a user performs operations using the Device Manager - Storage Navigator secondary window.

No output.

Function name

The abbreviation indicating the function that performed the operation.

  • Maintenance window name is output for SVP operations.
  • User Auth indicates an user authentication command.
  • FC-SP indicates a device authentication command.
  • Config Command indicates a configuration changing command.
  • [ENC] is output for the event about encryption keys.

Operation or event name

The operation or event name.

The following items are output only when Function name is User Auth. No output for other operations.

  • Login indicates that a log-in command is received.
  • Logout indicates that a log-out command is received.

The event name is output when the function name is [ENC].

Parameters

Parameters for certain functions.

No output.

Result

The result of your operation.

  • Normal end. The operation has ended normally.
  • Error (xxxx-yyyyy). The operation has ended abnormally.
  • Warning (xxxx-yyyyy). The operation has partly ended abnormally or was canceled during the operation.

xxxxx-yyyyyy is an error code. xxxxx is a part code of four or five digits showing where the error occurs. yyyyyy is a message ID of four, five, or six digits. For more information about error codes, see Hitachi Device Manager - Storage Navigator Messages. Note that error codes "xxxx-yyyyy" appear only for Device Manager - Storage Navigator operations.

The result of the received commands.

  • Normal end. The authentication has ended normally, or the event about encryption keys occurs.
  • Error. The authentication has ended abnormally.
  • Accept. Received the commands from the host.
  • Reject. Rejected the commands from the host.

Host Identifica- tion

An IP address (IPv4 or IPv6) is output for Device Manager - Storage Navigator, RMI AP and SVP operations. The IP address may be that of the proxy server or the router depending on the configuration of the connected network.

No output for RM AP operations. No output when the login user name is <System>.

If both IPv4 and IPv6 are available for communication between the Device Manager - Storage Navigator computer and the SVP, the Device Manager - Storage Navigator secondary window uses IPv4 communication. In this case, IPv4 addresses are output to audit logs.

  • A WWN is output for unauthenticated open-system host.

    When a command is received from a different storage system, a WWN for the storage system sending the command is output.

  • A host name is output for authenticated open-system hosts.
  • A serial number is output for main-frame system hosts.

    When a command is received from a different storage system, a serial number for the storage system sending the command is output.

  • A host name is output for computers using CCI.
  • A WWN is output for the FC-SP authentication.
  • No output for the event about encryption keys.
  • If an operation is performed through the REST API, an IP address used in the storage system might be displayed.

Application Identifica-tion

No output.

  • An internal-use ID is output for open-system hosts.
  • An LPR number is output for mainframe system hosts.
  • 0x0000 is output if a command comes from other storage system.
  • No output for other commands.

No output for the FC-SP authentication, computers using CCI, hosts using Business Continuity Manager or the event about encryption keys.

Serial number

The serial number of the saved log information (0000000000 to 4294967295). When the number reaches 4,294,967,295, it is reset to 0000000000.

Same as File 1.

Detailed Information

The indexes that indicate the set items and the setting values are output to the detailed information. There are two types of the detailed information format.

Detailed information format 1

Example:

+Copy Type=TI
++{P-VOL(LDKC:CU:LDEV),S-VOL(LDKC:CU:LDEV),PoolID,MU,
Snapshot Group,Result}
=[{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,1,SnapshotSet1,Normal end},
{0xXX:0xAA:0xBB,0xYY:0xCC:0xDD,0,,SnapshotSet2,Error(xxxx-yyyy)}],
Num. of Pairs=2

Symbol

Definition

+ and -

'+' or '-' is displayed at the beginning of a line.

'+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.

'-' means that the line continues from the previous line.

=

Connects an index and a setting value.

[ ]

When there is more than one setting value for an index, the setting values are enclosed by [ ], and separated by a comma (,).

Example: CU:LDEV=[0x00:0x00,0x00:0x01,0x00:0x02]

{ }

Details are enclosed by {}.

Example: {Port,Fabric,Connection}=[{1E,ON,FC-AL},{3E,OFF,P-to-P}]

( )

Supplementary and additional information for setting values are enclosed by ( ).

Example: {VOL(CU:LDEV),Result}={0x00:0x01,Error(xxxx-yyyy)}

Note:
  • If there is an item that is not specified when entering commands or performing operations, a hyphen (-) is output for its setting value, no setting value is output, or the index itself is not output.
  • For audit logs generated by commands sent from hosts, computers using CCI, or hosts using Business Continuity Manager, if an invalid value is specified when entering commands, numerical characters might be output in the index for character strings and vice versa.
  • For audit logs generated by events related to encryption keys, if an audit log to be output contains invalid values, numerical characters might be output in the index for character strings or nothing is output for detailed information.
  • For audit logs output in Audit log information file 2 (DKC), values different from the specified ones might be output because optimal values might be automatically assigned in DKC.

Detailed information format 2

Example:

+{Alus[0]{
  Id="60-06-0E-81-30-76-D9-30-76-D9-00-00-00-00-00-49",
  Result=Normal end,LdevId=0x00:0x00:0x49}}
Note: Line feeds are added to make the example easy to see, while no line feed is added to the actual logs.

Symbol

Definition

+ and -

'+' or '-' is displayed at the beginning of a line.

  • '+' means the beginning of the index. The number of occurrences of '+' represents the number of indents.
  • '-' means that the line continues from the previous one.

{ }

The tiering relation is indicated by the following format.

Parent setting item{Child setting item 1, Child setting item 2{Grandchild setting item 2-1, Grand child setting item 2-2,...},...}

=

Connects an index and a setting value.

[x]

For the log output by the command or operation in which multiple resources or items of the same type can be set at one time, the resource or item of the same type is indicated as follows.

Setting item[x] (where x is a number: 0, 1, 2,...)

Note: If there is an item that is not specified when entering commands or performing operations, "null" is output for its setting value, or the index itself is not output.