HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)
64
Audit events have the following message format:
AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User
ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch
name>,<Reserved>,<Event-specific information>
Switch names are logged for switch components and enterprise-class platform names for enterprise-class
platform components. For example, an enterprise-class platform name may be FWDL or RAS and a switch
component name may be zone, name server, or SNMP.
Pushed messages contain the administrative domain of the entity that generated the event. See the Fabric
OS Message Reference for details on message formats. For more information on setting up the system error
log daemon, see the Fabric OS Troubleshooting and Diagnostics Guide.
Audit logging assumes that your syslog is operational and running. Before configuring an audit log, you
must perform the following steps to ensure that the host syslog is operational.
Verifying host syslog prior to configuring the audit log
1. Set up an external host machine with a system message log daemon running to receive the audit events
that will be generated.
2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add
the IP address of the host machine so that it can receive the audit events.
You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command.
3. Ensure the network is configured with a network connection between the switch and the remote host.
4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of
the audit messages.
Configuring an audit log for specific event classes
See the Fabric OS Command Reference for more information about the auditCfg command and
command syntax.
1. Connect to the switch from which you wish to generate an audit log and log in using an account
assigned to the admin role.
2. Enter the auditCfg
--class command, which defines the specific event classes to be filtered.
switch:admin> auditcfg --class 2,4
Audit filter is configured.
The auditCfg event class operands are identified in Table 4 on page 43.
3. Enter the auditCfg
--enable command, which enables audit event logging based on the classes
configured in step 2.
switch:admin> auditcfg --enable
Audit filter is enabled.
To disable an audit event configuration, enter the auditCfg
--disable command.
4. Enter the auditCfg
--show command to view the filter configuration and confirm that the correct
event classes are being audited, and the correct filter state appears (enabled or disabled).
switch:admin> auditcfg --show
Audit filter is enabled.
2-SECURITY
4-FIRMWARE
5. Verify the audit event log setup by making a change affecting an enabled event class and confirming
that the remote host machine receives the audit event messages.
The following example shows the SYSLOG (system message log) output for audit logging.
Oct 10 08:52:06 10.32.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT),
[SEC-3020], INFO, SECURITY, admin/admin/10.32.220.137/telnet/CLI,