The audit logs for embedded CCI are created when the SSH connection is opened or closed and when raidcom commands are used. The audit logs are stored in the storage system (on the ESM processor).
- When you open an SSH connection to the ESM processor:
ESM,[BASE],Login,,Normal end,Seq.=xxxxxxxxxx
- When you close an SSH connection to the ESM processor:
ESM,[BASE],Logout,,Normal end,Seq.=xxxxxxxxxx
The IP address of the SSH client is output as the host identification value.
The audit logs for embedded CCI commands are output in the same format as the audit logs for host-based CCI. The IP address of the ESM processor is output as the host identification value.
You can use the embedded
CCI audit logs to identify the user client who executed a
raidcom command. To identify the user client who executed an embedded
CCI command:
- Refer to the embedded CCI audit logs to determine the user name of the user who executed the command and the date and time at which the command was executed.
- In the audit logs of the storage system, locate the Login operation that meets all of the following conditions:
- The Login operation was performed earlier than the time at which the command was executed (determined in step 1).
- The Logout operation was not performed earlier than the time at which the command was executed (determined in step 1).
- The username executing the Login operation matches the username confirmed in step 1.
- The external interface information of the Login operation is ESM.
- In the log of the Login operation that you located in step 2, locate the host identification value. The host identification value is the IP address of the SSH client from which the command was executed.