Event Auditing - Brocade Communications Systems 8 Reference

1
Overview of System Messages
•
•

Event Auditing

Event auditing is designed to support post-event audits and problem determination based on
high-frequency events of certain types such as security violations, zoning configuration changes,
firmware downloads, and certain types of fabric events. Fabric OS versions earlier than v5.2.0
generated a subset of messages flagged as AUDIT in the RASLog to identify some of this type of
output in addition to error log messages. In Fabric OS v5.2.0 and later, messages flagged as AUDIT
are no longer saved in the switch's error logs. Instead, the switch can be configured to stream Audit
messages to the switch console and to forward the messages to specified syslog servers. There is
no limit to the number of audit events.
For any given event, AUDIT messages capture the following information:
•
•
•
•
•
The five event classes described in the following table can be audited.
TABLE 1
Operand Event Class
1
2
3
4
5
Fabric OS v6.4.0 generates component-specific Audit messages see
Event auditing is a configurable feature, set to off by default. You must enable event auditing by
configuring the syslog daemon to send the events to a configured remote host using the
syslogIpAdd command. You can set up filters to screen out particular classes of events using the
auditCfg command (the classes include zone, security, configuration, firmware, and fabric). The
2
Trace dump, first-time failure detection capture (FFDC), and core dump files can be uploaded
to the FTP server using the supportSave command.
It is recommended to configure the syslogd facility as a management tool for error logs. This is
particularly important for dual-domain switches because the syslogd facility saves messages
from two logical switches as a single file and in sequential order. See
(syslogd)" on page 3 for more information.
User Name - The name of the user who triggered the action.
User Role - The access level of the user, such as, root or admin.
Event Name - The name of the event that occurred.
Status - The status of the event that occurred: success or failure.
Event Info - Information about the event.
Description
Zone You can audit zone event configuration changes, but not the actual
values that were changed. For example, you may receive a message
that states "Zone configuration has changed," but the message
does not display the actual values that were changed.
Security You can audit any user-initiated security event for all management
interfaces. For events that have an impact on the entire fabric, an
audit is only generated for the switch from which the event was
initiated.
Configuration You can audit configuration downloads of existing SNMP
configuration parameters. Configuration uploads are not audited.
Firmware You can audit configuration downloads of existing SNMP
configuration parameters. Configuration uploads are not audited.
Fabric You can audit Administration Domain related changes.
"System Logging Daemon
"Audit Log Messages".
Fabric OS Message Reference
53-1001767-01