Information that is output in audit logs

Virtual Storage Platform One SDS Block Audit Log Guide

Version
1.14.x
Audience
anonymous
Part Number
MK-24VSP1SDS005-01

"Type of audit event" and "Audit event" in the message part of an audit log provide summary information about the audit log. "Detailed information" is output depending on the event.

The following are the types of audit events:

  • AnomalyEvent: Indicates that an abnormality occurred (for example, a threshold was exceeded).

  • Authentication: Indicates that authentication or authorization processing was performed.

  • ConfigurationAccess: Indicates the occurrence of a configuration change and the associated change in job status.

  • Maintenance: Indicates that a maintenance operation was performed.

  • StartStop: Indicates a start or stop of the storage cluster.

The following table shows audit events and their description and detailed information categorized by each type of audit event.

Type of audit event: AnomalyEvent

Audit event

Description

Detailed information

AUDIT LOG REACHED THRESHOLD

The number of untransferred audit logs exceeded 70% of the maximum limit.

None

AUDIT LOG REACHED UPPER LIMIT

The maximum number of untransferred audit logs has been reached.

None

CREATING AUDIT LOG FAILED

Indicates that the generated audit event includes information about violation of the unified specification for Hitachi storage security products.

If this audit event name is output, contact customer support.

The following information about the generated audit event is output:

  • Priority

  • Type of audit event

  • Result of audit event

  • Subject identification

  • Request source host

  • Request source port

  • Request destination host

  • Request destination port

  • Application identification

  • External interface

  • Audit event

  • Detailed information

Type of audit event: Authentication

Audit event

Description

Detailed information

AUTHORIZATION FAILED

Indicates that authentication did not succeed.

For ticket authentication, the upper 8 digits of the SHA-256 hash of the ticket are output.

PASSWORD AUTHENTICATION EXECUTED

Indicates that Basic authentication was performed.

(Virtual machine) None

(Bare metal)(Cloud) If authentication to the console interface is performed, the ID of the storage node is output.

Example:

StorageNodeId=e839d554-56e6-40a6-929a-6a8c2a0d6e3d

SESSION AUTHENTICATION EXECUTED

Indicates that session authentication did not succeed.

Not output when session authentication succeeded.

None

TICKET AUTHENTICATION EXECUTED

Indicates that ticket authentication was performed.

The upper 8 digits of the SHA-256 hash of the ticket are output.

CHAP AUTHENTICATION

Indicates that CHAP authentication was performed.

None

Type of audit event: ConfigurationAccess

Audit event

Description

Detailed information

JOB {STARTED|SUCCEEDED|FAILED|STOPPED} FOR <CLI-subcommand- name>

Indicates that the job is in one of the following states:

  • STARTED: The job was started.

  • SUCCEEDED: The job succeeded.

  • FAILED: The job did not succeed.

  • STOPPED: The job was stopped.

Although <CLI-subcommand-name> indicates the operation that started the job, it does not necessarily indicate an operation through CLI. <CLI-subcommand-name> also covers any operations through REST API or VSP One SDS Block Administrator.1

The job ID (JobID) of the applicable event is output.2

Example:

JobID=772ebfa4-074b-4d38-a5a3-c6c3d7a40b7a

MODIFY CONFIGURATION EXECUTED

Indicates that the configuration information has been changed or set.

None

USER REQUEST RECEIVED FOR <CLI-subcommand-name>

Indicates that the storage cluster accepted a user operation.

Although <CLI-subcommand-name> indicates the details of a user operation, it does not necessarily indicate an operation through CLI. <CLI-subcommand-name> also covers any operations through REST API or VSP One SDS Block Administrator.1

The input information (REST API name + input parameter) received by the REST server and job ID are output.2, 3

Parameters that are not specified by the user are displayed with default values. Internal parameters may also be displayed.

The input information and the job ID are delimited by a comma.

Example:4

DetailedInformation=DELETE v1/objects/volumes/20bcba3c-db6a-45c6-b5a6-f39c08f3fd1a id=20bcba3c-db6a-45c6-b5a6-f39c08f3fd1a Accept-Language=en, jobId=772ebfa4-074b-4d38-a5a3-c6c3d7a40b7a

CONTROL PORT SETTING EXECUTED

Indicates that control port configuration was performed through the console interface.

The ID of the target storage node is output.

Example:

StorageNodeId=e839d554-56e6-40a6-929a-6a8c2a0d6e3d

ENCRYPTION KEY ALLOCATED

Indicates that encryption keys have been allocated to resources to be encrypted. 5

The following information is output.

  • StorageNodeId: When TargetType is "Drive", the ID of the storage node where the drive to be encrypted is installed is output.

  • EncryptionKeyId: ID of the target encryption key.

  • TargetType: Type of the resource to be encrypted. The type is fixed to "Drive".

  • TargetInformation: ID of the resource to be encrypted.

  • TargetName: Name of the resource to be encrypted. When TargetType is "Drive", a WWID (WWN) is output.

Example:

StorageNodeId=5cd7a2bf-3362-4fef-ad11-2b668c00cdba,EncryptionKeyId=0012daf4-fa01-4bc7-8c7f-042df04414f0,TargetType=Drive,TargetInformation=12091a9d-3f30-434a-9aa6-0a0c86e8a273,TargetName=naa.6000c29c1004ee8d1b45cfad860da071

ENCRYPTION KEY DELETED

Indicates that encryption keys allocated to resources to be encrypted have been deleted. 5

The following information is output.

  • StorageNodeId: When TargetType is "Drive", the ID of the storage node where the drive to be encrypted is installed is output.

  • EncryptionKeyId: ID of the target encryption key.

  • TargetType: Type of the resource to be encrypted. The type is fixed to "Drive".

  • TargetInformation: ID of the resource to be encrypted.

  • TargetName: Name of the resource to be encrypted. When TargetType is "Drive", a WWID (WWN) is output.

Example:

StorageNodeId=5cd7a2bf-3362-4fef-ad11-2b668c00cdba,EncryptionKeyId=0012daf4-fa01-4bc7-8c7f-042df04414f0,TargetType=Drive,TargetInformation=12091a9d-3f30-434a-9aa6-0a0c86e8a273,TargetName=naa.6000c29c1004ee8d1b45cfad860da071

1. Depending on the operation, a CLI subcommand name that is not described in the VSP One SDS Block CLI Reference might be displayed. The subcommand names and their meanings are as follows:

  • STORAGE_ADD_NODE: Adding storage nodes

  • CONFIGURATION_UPLOAD: Transferring configuration files

  • CONFIGURATION_FILE_IMPORT: Importing configuration files

  • PARTIAL_CONFIGURATION_FILE_CREATE: Exporting configuration files and creating configuration backup files

    When exporting of configuration files or creating of configuration backup files starts, audit logs are recorded at the time of starting and completion of the storage cluster processing. If exporting of configuration files or creating of configuration backup files is unsuccessful entirely, the audit logs recorded at the time of starting and completion of the storage cluster processing might show the processing has completed successfully.

  • CONFIGURATION_BACKUP_FILE_DOWNLOAD: Downloading configuration backup files

  • STORAGE_SET_SERVICE_ID: Setting the service ID of the storage cluster

  • STORAGE_NODE_DUMP_FILE_CREATE_FILE: Creating a dump log file by using the VSP One SDS Block Administrator

  • STORAGE_NODE_DUMP_FILE_DOWNLOAD: Downloading a dump log file by using the VSP One SDS Block Administrator

  • STORAGE_NODE_DUMP_FILE_DELETE: Deleting a dump log file by using the VSP One SDS Block Administrator

  • STORAGE_NODE_CONFIGURATION_PARAMETER_PARAMETERS_SHOW: Obtaining configuration parameters

  • STORAGE_NODE_CONFIGURATION_PARAMETER_PARAMETERS_SET: Setting configuration parameters

  • STORAGE_NODE_CONFIGURATION_PARAMETER_POLLING_MODE_SHOW: Obtaining the configuration parameter setting mode

  • STORAGE_MODIFY_CONFIGURATION: Changing and setting configuration information

2. Job information is not output to the audit log for the following operations among configuration change operations:

  • User management

  • Edition of user authentication settings

  • Session management

3. When performing the following operations, a REST API that is not described in the VSP One SDS Block REST API Reference might be generated:

  • Adding storage nodes

  • Transferring configuration files

  • Importing configuration files

  • Exporting configuration files

  • Creating a configuration backup file

  • Creating, downloading, and deleting a dump log file by using the VSP One SDS Block Administrator

  • Changing and setting configuration information

  • When service personnel or maintenance personnel set the service ID of the storage cluster

4. Some characters in "Detailed information" are replaced with certain types of characters:

  • Confidential information such as a password is replaced with asterisks (*).

  • 0x00 to 0x1F (NULL and other characters), 0x2C (comma), and 0x7F (DEL) in ASCII code are replaced with question marks ("?": 0x3F in ASCII code).

5. Duplicate audit logs might be output in the following cases because the same processing is being reperformed. However, this causes no problem in processing.

  • When the cluster master node (primary) failed over during processing involving encryption keys

  • When failure occurred during configuration restore and configuration restore was reperformed.

Type of audit event: Maintenance

Audit event

Description

Detailed information

START MAINTENANCE MODE

Indicates that Maintenance mode is enabled.

None

START RESCUE MODE

Indicates that Rescue mode is enabled.

None

WRITE BACK MODE WITH CACHE PROTECTION READY FOR STORAGE CLUSTER REBOOT

Indicates that the write back mode with cache protection is ready to be enabled/disabled.

Indicates the status of write back mode with cache protection.

write back mode with cache protection = {Enabling | Disabling}

  • Enabling: Write back mode with cache protection is in the process of being enabled.
  • Disabling: Write back mode with cache protection is in the process of being disabled.

WRITE BACK MODE WITH CACHE PROTECTION UPDATED

Indicates completion of enabling/disabling write back mode with cache protection.

Indicates the status of write back mode with cache protection.

write back mode with cache protection = {Enabled | Disabled}

  • Enabled: Write back mode with cache protection is enabled.
  • Disabled: Write back mode with cache protection is disabled.

Type of audit event: StartStop

Audit event

Description

Detailed information

STORAGE CLUSTER STARTED

Indicates that the storage cluster started.

None