Transferring audit log to syslog servers

Audit Log User Guide for VSP 5000 Series

Version
90-09-0x
Audience
anonymous
Part Number
MK-98RD9010-13

If you configure syslog server settings, the audit log will always be transferred to the syslog server and stored as the syslog files.

You can select either of the following protocols to transfer the audit log to the syslog server. The output file format is different by the selected protocol.

  • TLS1.2/RFC5424
  • UDP/RFC3164
Note: When you use UDP/RFC3164, consider the characteristics of UDP (User Datagram Protocol) when designing a network. See http://www.ietf.org./rfc/rfc3164.txt (Request for Comments) issued by IETF (Internet Engineering Task Force) for more details.
Note: Keep a list of the items such as the IP address you entered in the Syslog tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.
  • You must have Audit Log Administrator (View & Modify) role to configure syslog server settings.
  • Make sure that the storage system is connected to syslog servers on a LAN.
  • Make sure that the syslog servers are configured so as to transfer audit logs to the syslog servers.
  • The syslog server certificate and the client certificate are required to use TLS1.2/RFC5424.
  • If you use the new syslog protocol (TLS1.2/RFC5424), you must specify, for subjectAltName or CommonName in the syslog server certificate, the host name or IP address of the syslog server.
  • If you specify the host name of the syslog server as the transfer destination, you must register the host name and domain name of the syslog server in the DNS server.
CAUTION:
If audit logs are transferred before configuring the setting of a syslog server to which the audit logs are transferred, the logs are not saved on the syslog server and lost. See the user manual of the syslog server for the details of the syslog server setting.
  1. Click Settings > Security > Edit Audit Log Settings. Click the Syslog tab on the Edit Audit Log Settings window.
  2. Select New Syslog Protocol (TLS1.2/RFC5424) or Old Syslog Protocol (UDP/RFC3164).
  3. Select Enable for the Primary Server.
    1. Specify the IPv4 address, IPv6 address, or host name of the syslog server to which you want to send syslog data. To specify the host name, select Identifier and then enter up to 255 characters of alphabets, numerals, and symbols (! $ % - . @ _ ` ~).
    2. Enter the Port Number in the primary server setting.
    3. Enter client certificate file name, password, and root certificate file name (only when you choose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).
  4. Perform the following if using a secondary syslog server.
    1. Select Enable for the Secondary Server.
    2. Specify the IPv4 address, IPv6 address, or host name .
    3. Enter the Port Number in the secondary server setting.
    4. Enter client certificate file name, password, and root certificate file name (only when you chose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).
  5. Enter the name of the storage system from which you are transferring the audit log file in Location Identification Name.
  6. If New Syslog Protocol (TLS1.2/RFC5424) is selected for Transfer Protocol, specify Timeout, Retry Interval, and Number of Retries.
  7. If you want to transfer the detailed information of audit log to the syslog server, select Enable for Output Detailed Information.
  8. Click Send Test Message to Syslog Server to test the settings.
  9. Check that the test log (function name AuditLog, operation name Send Test Message) has been sent to the syslog server.
  10. Click Finish.
  11. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.
  12. Click Apply. The task is registered. If you select the Go to tasks window for status check box, the Task window opens.
  13. Confirm that the syslog server is receiving the log of syslog server setting when the task has completed. The function name of the log is "AuditLog" and the operation name is "Set Syslog Server".
    If the audit log is not received by the syslog server, check whether the set IP address or host name, and port number matches the IP address or host name, and port number of the syslog server, and make sure that the setting of the client certificate, password, and the Root Certificate File Name are correct. If the settings in Device Manager - Storage Navigator are correct, make sure that the settings on the syslog server are correct. If you specify the host name of the syslog server as the transfer destination, make sure that the host name and domain name of the syslog server are registered in the DNS server. See the user manual of the syslog server for the details of the syslog server setting.