Message part

The following is an example of the message part. Each triangle (△) in the example indicates a space. Each number in the example corresponds to the equivalent in the following table.

Depending on the type of audit log, the value of a specific item might be empty. (Items that become empty characters differ depending on the type of audit log.)

Note:

In syslog transfer, "%xEF.BB.BF" is added as the byte order mark (BOM) to the beginning of the message part (before "CELFSS" in the following figure).

No.	Item	Description
1	Unified specification identifier	Fixed to "CELFSS." This ID indicates that this audit log complies with the unified specification for Hitachi storage security products.
2	Revision number of the unified specification	Fixed to "1.1".
3	Blank item	Empty character.
4	Serial number	Serial number in the audit log (0000000001 to 9999999999) Some events might not be assigned serial numbers depending on the time the audit log was filed.
5	Blank item (for three items)	Empty character.
6	Type of audit event	Type of event under audit.
7	Result of audit event	Result of an event under audit: "Success": The event succeeded. "Failed": The event did not succeed. "Occurred": The event occurred.
8	Subject identification	Subject that caused the event under audit. The output content differs depending on the cause of the event: Username (e.g., uid=userID): The event was generated through the REST API, CLI, VSP One SDS Block Administrator or console interface execution. "<`System`>": The event is generated through notification from the storage cluster. iSCSI name (e.g., iSN=`iSCSI-name`): The event was generated through access from the compute node.
9	Storage cluster identification	Product type identifier. The following format is used: <`model-name`>: <`Internal-ID-(internalId)-of-the-storage-cluster`> <`model-name`> is replaced by either of the following: "VSSBB1": Indicates the bare metal model. "VSSBA1": Indicates the cloud model.
10	Blank item	Empty character.
11	Location identification	Location of the audit log output source, such as the installation location of equipment.
12	Blank item (for three items)	Empty character.
13	Request source host	Host name or IP address of the request source of the event under audit.^*
14	Request source port	Request source port of the event under audit.^*
15	Request destination host	Host name or IP address of the request destination of the event under audit.^*
16	Request destination port	Request destination port of the event under audit.^*
17	Blank item (for two items)	Empty character.
18	Application identification	Name of the application that caused an event generating an audit log.
19	Blank item	Empty character.
20	External interface	Name of the external interface that caused an event generating an audit log. "REST": Access through the REST API (including VSP One SDS Block Administrator and CLI) "CONSOLE": Access through the console interface "HOST": Access from the compute node
21	Audit event	Name of the executed operation or event.
22	Detailed information	Detailed information about the audit event.
* When you have created, downloaded, or deleted a dump log file by using the VSP One SDS Block Administrator, an audit log whose "Type of audit event" is ConfigurationAccess and that has USER REQUEST RECEIVED FOR followed by either of the following strings, and whose request source is localhost/127.0.0.1/0:0:0:0:0:0:0:1/::1, is displayed. DUMP_FILE_CREATE_FILE DUMP_FILE_DOWNLOAD DUMP_FILE_DELETE If you want to confirm the request source for creation, downloading, and deletion of a dump log file by using the VSP One SDS Block Administrator, view an audit log that has USER REQUEST RECEIVED FOR followed by either of the following strings. Creating a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_CREATE_FILE Downloading a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_DOWNLOAD Deleting a dump log file by using the VSP One SDS Block Administrator: STORAGE_NODE_DUMP_FILE_DELETE