Message part

Virtual Storage Platform One SDS Block Audit Log Guide

Version
1.13.x
Audience
anonymous
Part Number
MK-24VSP1SDS005-00

The following is an example of the message part. Each triangle (△) in the example indicates a space. Each number in the example corresponds to the equivalent in the following table.

Depending on the type of audit log, the value of a specific item might be empty. (Items that become empty characters differ depending on the type of audit log.)

Note:

In syslog transfer, "%xEF.BB.BF" is added as the byte order mark (BOM) to the beginning of the message part (before "CELFSS" in the following figure).

No.

Item

Description

1

Unified specification identifier

Fixed to "CELFSS".

This ID indicates that this audit log complies with the unified specification for Hitachi storage security products.

2

Revision number of the unified specification

Fixed to "1.1".

3

Blank item

Empty character.

4

Serial number

Serial number in the audit log (0000000001 to 9999999999)

Some events might not be assigned serial numbers depending on the time the audit log was filed.

5

Blank item

(for three items)

Empty character.

6

Type of audit event

Type of event under audit.

7

Result of audit event

Result of an event under audit:

  • "Success": The event succeeded.

  • "Failed": The event did not succeed.

  • "Occurred": The event occurred.

8

Subject identification

Subject that caused the event under audit. The output content differs depending on the cause of the event:

  • User name (e.g., uid=userID): The event was generated through the REST API, CLI, VSP One SDS Block Administrator or console interface execution.

  • "<System>": The event is generated through notification from the storage cluster.

  • iSCSI name (e.g., iSN=iSCSI-name): The event was generated through access from the compute node.

9

Storage cluster identification

Product type identifier. The following format is used:

<model-name>: <Internal-ID-(internalId)-of-the-storage-cluster>

<model-name> is replaced by either of the following:

  • "VSSB": Indicates the virtual machine model.

  • "VSSBB1": Indicates the bare metal model.

  • "VSSBA1": Indicates the cloud model.

10

Blank item

Empty character.

11

Location identification

Location of the audit log output source, such as the installation location of equipment.

12

Blank item

(for three items)

Empty character.

13

Request source host

Host name or IP address of the request source of the event under audit.*

14

Request source port

Request source port of the event under audit.*

15

Request destination host

Host name or IP address of the request destination of the event under audit.*

16

Request destination port

Request destination port of the event under audit.*

17

Blank item

(for two items)

Empty character.

18

Application identification

Name of the application that caused an event generating an audit log.

19

Blank item

Empty character.

20

External interface

Name of the external interface that caused an event generating an audit log.

  • "REST": Access through the REST API (including VSP One SDS Block Administrator and CLI)

  • "CONSOLE": Access through the console interface

  • "HOST": Access from the compute node

21

Audit event

Name of the executed operation or event.

22

Detailed information

Detailed information about the audit event.

* When you have created, downloaded, or deleted a dump log file by using the VSP One SDS Block Administrator, an audit log whose "Type of audit event" is ConfigurationAccess and that has USER REQUEST RECEIVED FOR followed by either of the following strings, and whose request source is localhost/127.0.0.1/0:0:0:0:0:0:0:1/::1, is displayed.

  • DUMP_FILE_CREATE_FILE

  • DUMP_FILE_DOWNLOAD

  • DUMP_FILE_DELETE

If you want to confirm the request source for creation, downloading, and deletion of a dump log file by using the VSP One SDS Block Administrator, view an audit log that has USER REQUEST RECEIVED FOR followed by either of the following strings.

  • Creating a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_CREATE_FILE

  • Downloading a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_DOWNLOAD

  • Deleting a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_DELETE