Users Guide

ManualsBrandsDell ManualsComputer equipmentBrocade M5424

101

102

103

104

105

106

107

108

109

110

108 Fabric OS Administrator’s Guide

53-1002920-02

Audit log configuration

Auditable events are generated by the switch and streamed to an external host through a

configured system message log daemon (syslog). You specify a filter on the output to select the

event classes that are sent through the system message log. The filtered events are streamed

chronologically and sent to the system message log on an external host in the specified audit

message format. This ensures that they can be easily distinguished from other system message log

events that occur in the network. Then, at some regular interval of your choosing, you can review

the audit events to look for unexpected changes.

Before you configure audit event logging, familiarize yourself with the following audit event log

behaviors and limitations:

• By default, all event classes are configured for audit; to create an audit event log for specific

events, you must explicitly set a filter with the class operand and then enable it.

• Audited events are generated specific to a switch and have no negative impact on

performance.

• The last 256 events are persistently stored on the switch and are streamed to a system

message log.

• The audit log depends on the system message log facility and IP network to send messages

from the switch to a remote host. Because the audit event log configuration has no control over

these facilities, audit events can be lost if the system message log and IP network facilities fail.

• If too many events are generated by the switch, the system message log becomes a bottleneck

and audit events are dropped by the Fabric OS.

• If the user name, IP address, or user interface is not transported, None is used instead for

each of the respective fields.

• For High Availability, the audit event logs exist independently on both active and standby CPs.

The configuration changes that occur on the active CP are propagated to the standby CP and

take effect.

• Audit log configuration is also updated through a configuration download.

Before configuring an audit log, you must select the event classes you want audited.

NOTE

Only the active CP can generate audit messages because event classes being audited occur only on

the active CP. Audit messages cannot originate from other blades in a Backbone.

Switch names are logged for switch components and Backbone names for Backbone components.

For example, a Backbone name may be FWDL or RAS and a switch component name may be zone,

name server, or SNMP.

Pushed messages contain the administrative domain of the entity that generated the event. Refer

to the Fabric OS Message Reference for details on event classes and message formats. For more

information on setting up the system error log daemon, refer to the Fabric OS Troubleshooting and

Diagnostics Guide.

NOTE

If an AUDIT message is logged from the CLI, any environment variables will be initialized with proper

values for login, interface, IP and other session information. Refer to the Fabric OS Message

Reference for more information.