"Type of audit event" and "Audit event" in the message part of an audit log provide summary information about the audit log. "Detailed information" is output depending on the event.
The following are the types of audit events:
-
AnomalyEvent: Indicates that an abnormality occurred (for example, a threshold was exceeded).
-
Authentication: Indicates that authentication or authorization processing was performed.
-
ConfigurationAccess: Indicates the occurrence of a configuration change and the associated change in job status.
-
Maintenance: Indicates that a maintenance operation was performed.
-
StartStop: Indicates a start or stop of the storage cluster.
The following table shows audit events and their description and detailed information categorized by each type of audit event.
Type of audit event: AnomalyEvent
Audit event |
Description |
Detailed information |
---|---|---|
AUDIT LOG REACHED THRESHOLD |
The number of untransferred audit logs exceeded 70% of the maximum limit. |
None |
AUDIT LOG REACHED UPPER LIMIT |
The maximum number of untransferred audit logs has been reached. |
None |
CREATING AUDIT LOG FAILED |
Indicates that the generated audit event includes information about violation of the unified specification for Hitachi storage security products. If this audit event name is output, contact customer support. |
The following information about the generated audit event is output:
|
Type of audit event: Authentication
Audit event |
Description |
Detailed information |
---|---|---|
AUTHORIZATION FAILED |
Indicates that authentication did not succeed. |
For ticket authentication, the upper 8 digits of the SHA-256 hash of the ticket are output. |
PASSWORD AUTHENTICATION EXECUTED |
Indicates that Basic authentication was performed. |
(Virtual machine) None (Bare metal)(Cloud) If authentication to the console interface is performed, the ID of the storage node is output. Example: StorageNodeId=e839d554-56e6-40a6-929a-6a8c2a0d6e3d |
SESSION AUTHENTICATION EXECUTED |
Indicates that session authentication did not succeed. Not output when session authentication succeeded. |
None |
TICKET AUTHENTICATION EXECUTED |
Indicates that ticket authentication was performed. |
The upper 8 digits of the SHA-256 hash of the ticket are output. |
CHAP AUTHENTICATION |
Indicates that CHAP authentication was performed. |
None |
Type of audit event: ConfigurationAccess
Audit event |
Description |
Detailed information |
---|---|---|
JOB {STARTED|SUCCEEDED|FAILED|STOPPED} FOR <CLI-subcommand- name> |
Indicates that the job is in one of the following states:
Although <CLI-subcommand-name> indicates the operation that started the job, it does not necessarily indicate an operation through CLI. <CLI-subcommand-name> also covers any operations through REST API or VSP One SDS Block Administrator.1 |
The job ID (JobID) of the applicable event is output.2 Example: JobID=772ebfa4-074b-4d38-a5a3-c6c3d7a40b7a |
MODIFY CONFIGURATION EXECUTED |
Indicates that the configuration information has been changed or set. |
None |
USER REQUEST RECEIVED FOR <CLI-subcommand-name> |
Indicates that the storage cluster accepted a user operation. Although <CLI-subcommand-name> indicates the details of a user operation, it does not necessarily indicate an operation through CLI. <CLI-subcommand-name> also covers any operations through REST API or VSP One SDS Block Administrator.1 |
The input information (REST API name + input parameter) received by the REST server and job ID are output.2, 3 Parameters that are not specified by the user are displayed with default values. Internal parameters may also be displayed. The input information and the job ID are delimited by a comma. Example:4 DetailedInformation=DELETE v1/objects/volumes/20bcba3c-db6a-45c6-b5a6-f39c08f3fd1a id=20bcba3c-db6a-45c6-b5a6-f39c08f3fd1a Accept-Language=en, jobId=772ebfa4-074b-4d38-a5a3-c6c3d7a40b7a |
CONTROL PORT SETTING EXECUTED |
Indicates that control port configuration was performed through the console interface. |
The ID of the target storage node is output. Example: StorageNodeId=e839d554-56e6-40a6-929a-6a8c2a0d6e3d |
ENCRYPTION KEY ALLOCATED |
Indicates that encryption keys have been allocated to resources to be encrypted. 5 |
The following information is output.
Example: StorageNodeId=5cd7a2bf-3362-4fef-ad11-2b668c00cdba,EncryptionKeyId=0012daf4-fa01-4bc7-8c7f-042df04414f0,TargetType=Drive,TargetInformation=12091a9d-3f30-434a-9aa6-0a0c86e8a273,TargetName=naa.6000c29c1004ee8d1b45cfad860da071 |
ENCRYPTION KEY DELETED |
Indicates that encryption keys allocated to resources to be encrypted have been deleted. 5 |
The following information is output.
Example: StorageNodeId=5cd7a2bf-3362-4fef-ad11-2b668c00cdba,EncryptionKeyId=0012daf4-fa01-4bc7-8c7f-042df04414f0,TargetType=Drive,TargetInformation=12091a9d-3f30-434a-9aa6-0a0c86e8a273,TargetName=naa.6000c29c1004ee8d1b45cfad860da071 |
1. Depending on the operation, a CLI subcommand name that is not described in the VSP One SDS Block CLI Reference might be displayed. The subcommand names and their meanings are as follows:
2. Job information is not output to the audit log for the following operations among configuration change operations:
3. When performing the following operations, a REST API that is not described in the VSP One SDS Block REST API Reference might be generated:
4. Some characters in "Detailed information" are replaced with certain types of characters:
5. Duplicate audit logs might be output in the following cases because the same processing is being reperformed. However, this causes no problem in processing.
|
Type of audit event: Maintenance
Audit event |
Description |
Detailed information |
---|---|---|
START MAINTENANCE MODE |
Indicates that Maintenance mode is enabled. |
None |
START RESCUE MODE |
Indicates that Rescue mode is enabled. |
None |
WRITE BACK MODE WITH CACHE PROTECTION READY FOR STORAGE CLUSTER REBOOT |
Indicates that the write back mode with cache protection is ready to be enabled/disabled. |
Indicates the status of write back mode with cache protection. write back mode with cache protection = {Enabling | Disabling}
|
WRITE BACK MODE WITH CACHE PROTECTION UPDATED |
Indicates completion of enabling/disabling write back mode with cache protection. |
Indicates the status of write back mode with cache protection. write back mode with cache protection = {Enabled | Disabled}
|
Type of audit event: StartStop
Audit event |
Description |
Detailed information |
---|---|---|
STORAGE CLUSTER STARTED |
Indicates that the storage cluster started. |
None |