Transferring audit log to syslog servers

If you configure syslog server settings, the audit log will always be transferred to the syslog server and stored as the syslog files.

You can select either of the following protocols to transfer the audit log to the syslog server. The output file format is different by the selected protocol.

  • TLS1.2/RFC5424
  • UDP/RFC3164
NoteWhen you use UDP/RFC3164, consider the characteristics of UDP (User Datagram Protocol) when designing a network. See http://www.ietf.org./rfc/rfc3164.txt (Request for Comments) issued by IETF (Internet Engineering Task Force) for more details.
NoteKeep a list of the items such as the IP address you entered in the Syslog tab on Edit Audit Log Settings window. You may need to enter them again when an SVP is replaced.

Before you begin

  • You must have Audit Log Administrator (View & Modify) role to configure syslog server settings.
  • Make sure the storage system is connected to syslog servers on a LAN.
  • Make sure the syslog servers are configured so as to transfer audit logs to the syslog servers.
  • The syslog server certificate and the client certificate is required to use TLS1.2/RFC5424. See Command Suite User Guide or Virtual Storage Platform G1000 System Administrator Guide for details.
CautionIf audit logs are transferred before configuring the setting of a syslog server to which the audit logs are transferred, the logs are not saved on the syslog server and lost. See the user manual of the syslog server for the details of the syslog server setting.

Procedure

  1. Click Settings Security Edit Audit Log Settings. Select Syslog tab on the Edit Audit Log Settings window.

  2. Select New Syslog Protocol (TLS1.2/RFC5424) or Old Syslog Protocol (UDP/RFC3164).

  3. Click Enable the Primary Server.

    1. Select IPv4 or IPv6 on Server setting and enter the IP address.

    2. Enter the Port Number in the primary server setting.

    3. Enter client certificate file name, password, and root certificate file name (only when you choose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  4. Perform the following if using a secondary syslog server.

    1. Click Enable the Secondary Server.

    2. Select IPv4 or IPv6 on Server setting and enter the IP address.

    3. Enter the Port Number in the secondary server setting.

    4. Enter client certificate file name, password, and root certificate file name (only when you chose New Syslog Protocol (TLS1.2/RFC5424) at Transfer Protocol).

  5. Enter the name of the storage system from which you are transferring the audit log file in Location Identification Name.

  6. If selected New Syslog Protocol (TLS1.2/RFC5424) for Transfer Protocol, specify Timeout, Retry Interval, and Number of Retries.

  7. If you want to transfer the detailed information of audit log to the syslog server, click Enable for Output Detailed Information.

  8. Click Send Test Message to Syslog Server to test the settings.

  9. Check that the test log (function name AuditLog, operation name Send Test Message) has been sent to the syslog server.

  10. Click Finish.

  11. Confirm the settings from the setting confirmation window, and then enter the task name on Task Name.

  12. Click Apply. The task is registered. If you check the Go to tasks window for status check box, the Task window is displayed.

  13. Confirm that the syslog server is receiving the log of syslog server setting when the task has completed. The function name of the log is "AuditLog" and the operation name is "Set Syslog Server".

Results

If the audit log is not received by the syslog server, check whether the set IP address and port number matches the IP address and port number of the syslog server, and make sure that the Client Certificate File Name, password, and the Root Certificate File Name are correct. If the settings are correct, check the syslog server setting. See the user manual of the syslog server for the details of the syslog server setting.