Acquisition/reference of audit logs
Audit logs are stored in either the SVP or the storage system. (Which one to store depends on the type of the audit logs.) To acquire or refer to the stored audit log, the log needs to be transferred to syslog servers.
After you configure transferring audit logs to syslog servers, audit logs stored in the SVP or the storage system are automatically transferred to syslog servers at all times. See the Hitachi Device Manager - Storage Navigator User Guide for the procedure for transferring audit logs to syslog servers.
When audit logs are not transferred
If audit logs are not transferred to syslog servers due to a LAN failure etc., the logs are accumulated as a non-transferred log. Once non-transferred logs are accumulated, the icon showing the accumulated status in the window changes or a SIM is generated.
When syslog servers are not used, logs are accumulated as a non-transferred log, but the icon showing the accumulated status in the window does not change or a SIM is not generated.
|
Storage place of audit logs |
Maximum number of lines1 |
When non-transferred logs are accumulated |
|
SVP |
250,000 lines |
The icon shown in the upper right of the main window changes.
|
|
Storage system (GUM) |
1,000 lines |
A SIM is generated.
|
|
Storage system (DKC) |
VSP G200: 20,000 lines VSP G400, G600: 40,000 lines VSP F400, F600: 40,000 lines VSP G800: 140,000 lines VSP F800: 140,000 lines | |
|
Notes:
| ||
: The number of accumulated logs is below the threshold
2.
: The number of accumulated logs reaches the threshold.
: Some audit logs are overwritten and a part of the data is lost because the file is full.
When syslog servers are not used
Eliminate the cause of the transfer failure to the syslog server, and then conduct a test transfer of syslogs to confirm that the transmission is recovered.