Syslog file format (RFC5424-compliant)

Audit Log User Guide for VSP 5000 Series

Version
90-09-0x
Audience
anonymous
Part Number
MK-98RD9010-13


Either item 21 or item 22 is output in one syslog information.

No.

Item

Description

1

Priority

The priority of an item in the syslog file is determined according to the following formula, enclosed by brackets (< >):

Priority = 8 × Facility + Severity

Facility is 1 (fixed).

Severity depends on the type of log information:

  • 4: Error or Warning. Error means that the operation has ended abnormally. Warning means that the operation has partly ended abnormally or was canceled during the operation.
  • 6: Informational. The operation has ended normally.

For example, if Severity is 4 (Error), <12> is output as the priority value.

2

Version

The version (1)

3

Date, time*

The date, time and the time difference between UTC and the local time in the format of "YYYY-MM-DDThh:mm:ss.s±hh:mm"

  • YYYY: year, MM: month, DD: day
  • hh: hour, mm: minute, ss.s: second in one decimal place
  • ±hh:mm: hours and minute of the time difference. "Z" is displayed instead of "±hh:mm" when there is no time difference between UTC and the local time, such as "2005-12-26T23:06:58.0Z".

4

Detected location

The host name (SVP)

5

Program name

The detection entity identifier (Storage)

6

Process name

The process name (-)

7

Message ID

The message ID (-)

8

Structured data

The structured data (-)

9

Unified specification identification

The unified specification identifier (CELFSS)

10

The revision number of the unified specification document (1.1)

11

Message identification

The serial number of the syslog header information

12

Type of audit event

The category name of the event

  • Authentication: Authentication, for example, for RMI
  • ConfigurationAccess: Setting from Device Manager - Storage Navigator, SVP, host, CCI, or Business Continuity Manager
  • Maintenance: SVP operations
  • AnomalyEvent: The Audit Log reached the maximum, and so on.
  • ExternalService: Remote maintenance operations through SVP

13

Result of audit event

  • Success: Normal end. The operation has ended normally.
  • Failed: Error (xxxx-yyyy). The operation has ended abnormally.
  • Failed: Warning (xxxx-yyyy). The operation has partly ended abnormally or was canceled during the operation.

"xxxx-yyyyy" indicates error codes and it is output only for Device Manager - Storage Navigator operations.

14

Account identification

The user name in the format of "uid=user name"

  • <system> is output when the category name is AnomalyEvent.
  • <DKCMaintenance> is output for SVP operations.
  • <Host> is output for commands from host.

15

Hardware identification

The ID (R900) to identify the model name of the product and the serial number (five-digit number: 00001 to 99999) divided by a colon (for example, "R900:312334")

16

Related information

The location identification name set by the user in the Syslog tab of the Edit Audit Log Settings window

17

Detailed information

Identification of the host sending the request

This information is output when a command is received from the host unless it is FC-SP authentication.

18

Collective operation identifier. This is a serial number that identifies those multiple lines displayed by one operation are the same operation.

This information is output only if the log type information is "BasicLog" and the category name is other than "AnomalyEvent".

19

Log type information:

  • BasicLog: basic information
  • DetailLog: detailed information

No output when the category name is "AnomalyEvent".

20

Identification of the application. This information is output when commands are sent from the host.

21

Detailed information

The same information contained in the basic information of the audit log file

  • External interface name
  • Task name
  • Function name
  • Operation name or event name
  • Parameter
  • Result of operation or command receipt
  • Serial number of log information

Task name is output only when a task is registered using Device Manager - Storage Navigator. No parameter is output if the operation has no parameters. No serial number is output when the category name is "AnomalyEvent".

22

The same information contained in the detailed information of the audit log file

No serial number is output when the category name is "AnomalyEvent".

*A date and time being set on SVP are output as log data. If a failure, such as a SVP failure and a LAN failure, occurs in the storage system, the date and time may be output of the accumulated date and time since January 01, 1970.