Audit log header format (RFC5424-compliant)

Audit Log User Guide for VSP E Series

Version
93-06-8x
Audience
anonymous
Part Number
MK-97HM85024-17


No.

Item

Description

1

Priority

The priority value given by the following formula is output, enclosed by < >.

Priority value = 8 x Facility + Severity

Facility is 17 (Fixed value).

Severity takes the following values, depending on the type of the log information:

  • 4: Error (Abnormal end) or Warning (The operation partly ended abnormally or was aborted.)
  • 6: Informational (Normal end)

For example, if Severity is Error, <140> is output for the priority value.

2

Version

"1" is output for the version number.

3

Date, time1

The date, time, and the time difference from UTC (Universal Time Coordinated) are output in the format of YYYY-MMDDThh: mm:ss.s ±hh:mm. (YYYY: year, MM: month, DD: day, hh: time, mm: minute, ss.s: second, hh: hour of the time difference, mm: minute of the time difference).

However, if there is no time difference from UTC, "Z" is output for "±hh:mm" such as 2016-12-T23:06:58.0Z.

"ss.s" (Output format of second) means the first decimal point is output.

4

Detected location

"GUM" is output for a host name.

5

Program name

"Storage" is output for the detection entity identifier.

6

Process name

A hyphen (-) is output for the process name.

7

Message ID

A hyphen (-) is output for the message ID.

8

Structured data

A hyphen (-) is output for the structured data.

9

Unified specification identification

"CELFSS" is output for the unified specification identifier.

10

"1.1" is output for the revision number of the unified specification.

11

Message identification

The serial number of the syslog header information is output.

12

Type of audit event

The category name of the audit event is output. The actual category names and examples of the events are as follows:

  • Authentication: Authentication etc. to RMI
  • ConfigurationAccess: Configuration from Device Manager - Storage Navigator, Maintenance PC, hosts, CCI, or Hitachi Storage Advisor Embedded
  • Maintenance: Configuration on Maintenance PC
  • ExternalService: Remote maintenance operation

13

Result of audit event

The result of the audit event is output as follows.

  • Success: Normal end (The operation ended normally.)
  • Failed: Error (xxxx-yyyy) (The operation ended abnormally.)
  • Failed: Warning (xxxx-yyyy) (The operation partly ended abnormally or was aborted.)

"xxxx-yyyyy" shows an error code. This error code is not shown in the result of the audit event if the operation is performed from Maintenance PC or by the command from a host.

14

Account identification

A user name is output in the format of "uid=user name".

  • "DKCMaintenance" is output for the operation from Maintenance PC.
  • "Host" is output for the commands from a host.

15

Hardware identification

The ID that identifies the model name of the product and the serial number (six digit number) are punctuated with a colon (:) and output (for example, "HM900:431234").

The following ID is output:

  • VSP E1090: "RH10K MH4" or "VSP E series"
  • Other VSP E series models: "HM900" or "VSP E series"

16

Related information

The location identification name configured in the Set Up Syslog Server for Audit Logs window is output.

17

Host identification

The identification information of a host sending requests is output as follows.

  • Operations of Device Manager - Storage Navigator: IP address (IPv4 or IPv6)2, 3
  • Operations of Hitachi Storage Advisor Embedded: IP addresses of GUM (IPv4 or IPv6)
  • Operations of RMI AP

    IP address (IPv4 or IPv6) : When an IP address is specified by external application.

    host name: When a host name is specified by external application.

  • CCI operation

    A host name is output for authenticated hosts.

    A WWN is output for unauthenticated hosts.

    IP addresses of GUM are output if operations are performed from CCI of the embedded CLI.

  • An IP address is output for the CHAP authentication.
  • No output for operation logs of RM AP and GUM AP.
  • No output for event logs on the encryption keys.

18

Collective operation identifier

The collective operation identifier is a serial number with which the operation is recognized as one operation even if it outputs multiple lines.

The identifier is output only when the log identification information is "BasicLog."

19

Log type information

The log type information is output as follows:

  • BasicLog: Basic information
  • DetailLog: Detailed information

20

Application identification

When commands are received from a host, the following are output.

  • ID that the host and storage system use internally
  • 0x0000: When receiving commands from other storage systems.
  • No output for events on CHAP, Computers using CCI, or encryption keys.

Notes:

  1. If a LAN failure etc. occurs on the storage system, the date and time might be the accumulated time since January 1, 1970.
  2. The IP address might indicate that of a proxy server, router, or remote desktop client, depending on the connected network configuration.
  3. When IPv4 and IPv6 are available for communication from the management client to the SVP or management client, even if an IPv6 address of the SVP or management client is designated by the browser of the management client, IPv4 is used for communication by operations from the sub window of Device Manager - Storage Navigator, and an IPv4 address is output to the audit log.