Acquisition/reference of audit logs

Audit logs are stored in either the SVP or the storage system. (Which one to store depends on the type of the audit logs.) To acquire or refer to the stored audit log, the log needs to be transferred to syslog servers.

Once transferring audit logs to syslog servers is set, audit logs stored in the SVP or the storage system are automatically transferred to syslog servers at all times. Refer to Related topics below for the procedure for transferring audit logs to syslog servers.

The capacity for audit logs that can be stored in the SVP or the storage system is limited. When the stored audit logs reaches the maximum capacity, the oldest data is lost as it is overwritten by the newest data, so it is recommended to transfer audit logs to syslog servers.

When audit logs are not transferred or syslog servers are not used

If audit logs are not transferred to syslog servers due to a LAN failure etc., the logs are accumulated as a non-transferred log. Once non-transferred logs are accumulated, the icon showing the accumulated status in the window changes or a SIM is generated.

When syslog servers are not used, logs are accumulated as a non-transferred log, but the icon showing the accumulated status in the window does not change or a SIM is not generated.

Storage place of audit logs	Maximum stored capacity (Maximum number of lines)	When non-transferred logs are accumulated
SVP	250,000 lines	The icon shown in the upper right of the main window changes. : The number of accumulated logs is below the threshold ¹. : The number of accumulated logs reaches the threshold. : Some audit logs are overwritten and a part of the data is lost because the file is full.
Storage system	1,000 lines	A SIM is generated. Reference code (7d03`xx` ²): The number of accumulated logs reaches the threshold ¹. Reference code (7d04`xx` ²): Some audit logs are overwritten and some data are lost because the file is full.
Notes: The threshold is 70% of the maximum stored capacity of the audit logs. When the audit log file reaches the maximum capacity, the oldest data is lost as it is overwritten by the newest data (wrap around). `xx`=00: Indicates an event occurred on the CTL1 side `xx`=01: Indicates an event occurred on the CTL2 side

Storage place of audit logs

Maximum stored capacity (Maximum number of lines)

When non-transferred logs are accumulated

SVP

250,000 lines

The icon shown in the upper right of the main window changes.

: The number of accumulated logs is below the threshold ¹.

: The number of accumulated logs reaches the threshold.

: Some audit logs are overwritten and a part of the data is lost because the file is full.

Storage system

1,000 lines

A SIM is generated.

Reference code (7d03xx ²): The number of accumulated logs reaches the threshold ¹.

Reference code (7d04xx ²): Some audit logs are overwritten and some data are lost because the file is full.

Notes:

The threshold is 70% of the maximum stored capacity of the audit logs. When the audit log file reaches the maximum capacity, the oldest data is lost as it is overwritten by the newest data (wrap around).

xx=00: Indicates an event occurred on the CTL1 side

xx=01: Indicates an event occurred on the CTL2 side

Perform the following when non-transferred logs are accumulated.

Export non-transferred logs.

All stored audit logs including transferred logs are exported in this operation.

Which operation window to be used depends on where the audit logs are stored. Refer to Related topics below for the procedure for exporting audit logs.

Type/contents of audit log	Stored place	Exporting operation window
Operations set by the management client (Except operations in the Maintenance Utility menu) Operations and events on encryption keys for encrypting stored data Execution logs of Remote Maintenance API Commands that the storage system received from a host or computers using CCI	SVP	Audit Log Properties window
Operations using Maintenance Utility Maintenance operations from Maintenance PC	Storage system	Audit Log Settings window

Type/contents of audit log

Stored place

Exporting operation window

Operations set by the management client (Except operations in the Maintenance Utility menu)

Operations and events on encryption keys for encrypting stored data

Execution logs of Remote Maintenance API

Commands that the storage system received from a host or computers using CCI

SVP

Audit Log Properties window

Operations using Maintenance Utility

Maintenance operations from Maintenance PC

Storage system

Audit Log Settings window

Eliminate the cause of the transfer failure to the syslog server, and then conduct a test transfer of syslogs to confirm that the transmission is recovered.

Even if the transmission is recovered, audit logs generated during the transfer failure are not retransferred.