HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)
Fabric OS 6.2 administrator guide 63
Auditable events are generated by the switch and streamed to an external host through a configured
system message log daemon (syslog). You specify a filter on the output to select the event classes that are
sent through the system message log. The filtered events are streamed chronologically and sent to the
system message log on an external host in the specified audit message format. This ensures that they can
be easily distinguished from other system message log events that occur in the network. Then, at some
regular interval of your choosing, you can review the audit events to look for unexpected changes.
Before you configure audit event logging, familiarize yourself with the following audit event log behaviors
and limitations:
• By default, all event classes are configured for audit; to create an audit event log for specific events, you
must explicitly set a filter with the class operand and then enable it.
• Audited events are generated specific to a switch and have no negative impact on performance.
• If you are running Fabric OS versions earlier than 6.0, all Secure Fabric OS events are audited.
• Events are not persistently stored on the switch but are streamed to a system message log.
• The audit log depends on the system message log facility and IP network to send messages from the
switch to a remote host. Because the audit event log configuration has no control over these facilities,
audit events can be lost if the system message log and IP network facilities fail.
• If too many events are generated by the switch, the system message log becomes a bottleneck and
audit events are dropped by the Fabric OS.
• If the user name, IP address, or user interface is not transported, an audit message is logged by adding
the message None to each of the respective fields.
• For High Availability, the audit event logs exist independently on both active and standby CPs. The
configuration changes that occur on the active CP are propagated to the standby CP and take effect.
• Audit log configuration is updated through a configuration download.
Auditable event classes
Before configuring an audit log, you must select the event classes you want audited. When enabled, the
audit log feature audits any RASlog messages (system message log) previously tagged as AUDIT in Fabric
OS 6.0. The audit log includes:
• SEC-3001 through SEC-3017
• SEC-3024 through SEC-3029
• ZONE-3001 through ZONE-3012
Table 6 identifies auditable event classes and the auditCfg command operands used to enable auditing
of a specific class.
Only the active CP can generate audit messages because event classes being audited occur only on the
active CP. Audit messages cannot originate from other blades in an enterprise-class platform.
Table 6 AuditCfg event class operands
Operand Event class Description
1 Zone Audit zone event configuration changes, but not the actual values that
were changed. For example, a message may state, “Zone configuration
has changed,” but the syslog does not display the actual values that were
changed.
2 Security Audit any user-initiated security events for all management interfaces. For
events that have an impact on an entire fabric, an audit is generated
only for the switch from which the event was initiated.
3 Configuration Audit configuration downloads of existing SNMP configuration
parameters. Configuration uploads are not audited.
4 Firmware Audit firmware download start, firmware complete, and any other errors
encountered during a firmware download.
5 Fabric Audit administrative domain-related changes.