Syslog file format (RFC3164-compliant)

Audit Log User Guide for VSP 5000 Series

Version
90-08-8x
Audience
anonymous
Part Number
MK-98RD9010-12

The following figure shows a sample syslog file.



Either item 29 or item 30 is output in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 × Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means that the operation has ended abnormally. Warning means that the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, if Severity is 4 (Error), <12> is output as the priority value.

2

Date, time*

The date and time in the format of "MMM DD HH:MM:SS" (MMM: month such as Jan or Dec, DD: day, HH: hour, MM: minute, and SS: second).

If DD is a single digit (for example, 1), it is displayed as " 1" (with a blank space before "1") and not as "01".

3

Detected location

The host name (SVP)

4

Program name

The detection entity identifier (Storage)

5

Unified specification identification

The Unified specification identifier (CELFSS)

6

The revision number of the Unified specification document (1.1)

7

Message identification

The serial number of the syslog header information

8

No output

9

Date, time#2*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DDThh:mm:ss.s±hh:mm"

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place
  • ±hh:mm: hours and minute of the time difference. "Z" is displayed instead of "±hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T23:06:58.0Z".

10

Detection entity

The detection entity identifier (Storage)

11

Detected location

The host name (SVP)

12

Type of audit event

The category name of the event

  • Authentication: Authentication, for example, for RMI
  • ConfigurationAccess: Setting from Device Manager - Storage Navigator, SVP, host, CCI, or Business Continuity Manager
  • Maintenance: SVP operations
  • AnomalyEvent: The Audit Log reached the maximum, and so on.
  • ExternalService: Remote maintenance operations through SVP

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Subject identification

The user name in the format of "uid=user name"

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.

15

Hardware identification

The ID (R900) to identify the model name of the product and the serial number (five-digit number: 00001 to 99999) divided by a colon (for example, "R900:312334")

16

Generated location

No output

17

Related information

The location identification name set by the user in the Syslog tab on the Edit Audit Log Settings window

18

No output

19

No output

20

Agent information

No output

21

Detailed information

Identification of the host sending the request

This information is output when a command is received from the host unless it is FC-SP authentication.

22

No output

23

No output

24

No output

25

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

This information is output only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

26

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

27

Identification of the application. This information is output when commands are sent from the host.

28

No output

29

The same information contained in the basic information of the audit log file

  • External interface name
  • Task name
  • Function name
  • Operation name or event name
  • Parameter
  • Result of operation or command receipt
  • Serial number of log information

Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

30

The same information contained in the detailed information of the audit log file

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970.