Editing Syslog transfer settings of audit logs

Virtual Storage Platform One SDS Block Audit Log Guide

Version
1.15.x
Audience
anonymous
Part Number
MK-24VSP1SDS005-02

Set Syslog transfer of audit logs as follows. You can set up to two Syslog servers.

An audit log can contain up to 750,000 activities. If transfer to the Syslog server is enabled, a user is notified by an event log and audit log when the number of untransferred activities reaches 70% of the maximum and when it reaches 100%.

Note:
  • When using a DNS server, a storage node caches DNS inquiry results for the time (DNS TTL) set in the DNS server. For this reason, if the content registered in the DNS server (correspondence between the host name and IP address) is changed, the storage node might access an old address during DNS TTL. Therefore, if you have changed the content registered in the DNS server (correspondence between the host name and IP address), wait until the time specified for DNS TTL has passed, and then set Syslog transfer.

  • When syslog transfer of audit logs is set, VSP One SDS Block periodically sends ICMP echo requests to the set Syslog server to verify the network reachability.

  • (Virtual machine)(Bare metal)

    In the audit log Syslog transfer settings, the source IP address is as follows:

    • If the representative IP address of the storage cluster is not set:

      Control network IP address of the cluster master node (primary)

    • If the representative IP address of the storage cluster is set:

      Representative IP address of the storage cluster or control network IP address of the cluster master node (primary)

    The cluster master node (primary) might be changed to another storage node because of storage node failure or other reasons. To ensure that audit logs can be received in such cases, when registering a source IP address, set the representative IP address of the storage cluster and the IP addresses of all storage nodes for the control network.

  • (Cloud)

    Syslog transfers from VSP One SDS Block do not pass through the load balancer, so the source IP address remains the IP address of each storage node for the control network. Therefore, when you register a source IP address, specify the IP address of each cluster master node for the control network, not the IP address assigned to the load balancer.

  • Required role: Security

  1. Set Syslog transfer of audit logs as follows.

    Run either of the following commands with the parameters for setting audit logs specified.

    When you specify the locationName (CLI: --location_name) parameter, observe the following:

    • Number of characters: 1 to 180

    • Characters that can be used: Numbers (0 to 9), uppercase alphabet (A to Z), lowercase alphabet (a to z), symbols (! # $ ' ( ) + -.@ _ ` { } ~)

    REST API: PATCH /v1/objects/audit-log-setting

    CLI: audit_log_setting_set

    Verify the job ID which is displayed after the command is run.

  2. Verify the state of the job by specifying the job ID.

    REST API: GET /v1/objects/jobs/<jobID>

    CLI: job_show

    If the job state is "Succeeded", the job is completed.

  3. In the Syslog server, make settings so that audit logs can be received from VSP One SDS Block.

    See the manual of the Syslog server in use, and make the following settings as required.

    • IP address of Syslog transmission source: Control port IP address of the cluster master node (primary)

    • Port number of Syslog transmission source: Port number set in step 1

    • Communications protocol: Communications protocol set in step 1

  4. Verify that audit logs are correctly transferred to the Syslog server.

    Make the Syslog transfer setting of audit logs again by using the same input values as step 1.

    If the Syslog transfer setting in VSP One SDS Block and the reception setting in the Syslog server are made properly, the following audit log is transferred to the Syslog server, indicating that the job for audit log Syslog transfer setting has been started. If the log is not transferred, review the setting and the network.

    • Audit event: JOB STARTED FOR audit_log_setting_set

  5. (Virtual machine)(Bare metal) Back up the configuration information.

    Perform this step by referring to Backing up the configuration information (Virtual machine)(Bare metal) .

    If you continue operations with other procedures, you must back up the configuration information after you have completed all operations.