Acquisition/reference of audit logs

Audit logs are stored in either the SVP or the storage system. (Which one to store depends on the type of the audit logs.) To acquire or refer to the stored audit log, the log needs to be transferred to syslog servers.

Once transferring audit logs to syslog servers is set, audit logs stored in the SVP or the storage system are automatically transferred to syslog servers at all times. Refer to Related topics below for the procedure for transferring audit logs to syslog servers.

NoteThe capacity for audit logs that can be stored in the SVP or the storage system is limited. When the stored audit logs reaches the maximum capacity, the oldest data is lost as it is overwritten by the newest data, so it is recommended to transfer audit logs to syslog servers.

When audit logs are not transferred or syslog servers are not used

If audit logs are not transferred to syslog servers due to a LAN failure etc., the logs are accumulated as a non-transferred log. Once non-transferred logs are accumulated, the icon showing the accumulated status in the window changes or a SIM is generated.

When syslog servers are not used, logs are accumulated as a non-transferred log, but the icon showing the accumulated status in the window does not change or a SIM is not generated.

Storage place of audit logs

Maximum number of lines1

When non-transferred logs are accumulated

SVP

250,000 lines

The icon shown in the upper right of the main window changes.

  • : The number of accumulated logs is below the threshold 2.
  • : The number of accumulated logs reaches the threshold.
  • : Some audit logs are overwritten and a part of the data is lost because the file is full.

Storage system (GUM)

1,000 lines

A SIM is generated.

  • Reference code (7d03xx3): The number of accumulated logs reaches the threshold 2.
  • Reference code (7d04xx3): Some audit logs are overwritten and some data are lost because the file is full.

Storage system (DKC)

VSP G200: 20,000 lines

VSP G400, G600: 40,000 lines

VSP F400, F600: 40,000 lines

VSP G800: 140,000 lines

VSP F800: 140,000 lines

Notes:

  1. The number of lines is an estimate, depending on the type of the log information.
  2. The threshold is 70% of the maximum stored capacity of the audit logs. When the audit log file reaches the maximum capacity, the oldest data is lost as it is overwritten by the newest data (wrap around).
  3. xx=00: Indicates an event occurred on the CTL1 side

    xx=01: Indicates an event occurred on the CTL2 side

Perform the following when non-transferred logs are accumulated.

  • Export non-transferred logs.

    All stored audit logs including transferred logs are exported in this operation.

  • Which operation window to be used depends on where the audit logs are stored. Refer to Related topics below for the procedure for exporting audit logs.

Type/contents of audit log

Stored place

Exporting operation window

  • Logs of operations set by the management client (Except operations in the maintenance utility menu)
  • Operation logs of encryption keys for encrypting stored data
  • Execution logs of Remote Maintenance API

SVP

Audit Log Properties window

  • Operation logs of maintenance utility
  • Maintenance operation logs of Maintenance PC
  • Event logs of encryption keys for encrypting stored data
  • Command logs received from a host or computers using CCI the storage system

Storage system (GUM and DKC)

Audit Log Settings window

  • Eliminate the cause of the transfer failure to the syslog server, and then conduct a test transfer of syslogs to confirm that the transmission is recovered.
    NoteEven if the transmission is recovered, audit logs generated during the transfer failure are not retransferred.
Parent Topic