Event Auditing - Brocade Communications Systems A7533A - Brocade 4Gb SAN Switch Base Reference Manual

1
Overview of System Messages
•
•
•
•

EVENT AUDITING

Event auditing is designed to support post-event audtis and problem determination based on
high-frequency events of certain types such as security violations, zoning configuration changes,
firmware downloads, and certain types of fabric events. Pre-Fabric OS v5.2.0 generated a subset of
messages flagged as AUDIT in the RASLog to identify some of this type of output in addition to error
log messages. In Fabric OS v5.2.0 and later, messages flagged as AUDIT are no longer saved in the
switch's error logs. Instead, the switch can be configured to stream Audit messages to the switch
console and to forward the messages to specified syslog server(s). There is no limit to the number
of audit events.
For any given event, AUDIT messages capture the following information:
•
•
•
•
•
The following five event classes can be audited:
TABLE 1
Operand Event Class
1
2
3
4
5
2
Messages are numbered sequentially from 1 to 2,147,483,647 (0x7ffffff). The sequence
number will continue to increase beyond the storage limit of 1024 messages. The sequence
number can be reset to 1 using the errClear command. The sequence number is persistent
across power cycles and switch reboots.
By default, the errDump and errShow commands display all of the system error messages.
Trace dump, first-time failure detection capture (FFDC), and core dump files can be uploaded
to the FTP server using the supportSave command.
It is recommended to configure the syslogd facility as a management tool for error logs. This is
particularly important for dual-domain switches, as the syslogd facility saves messages from
two logical switches as a single file and in sequential order. See
(syslogd)" on page 3 for more information.
User Name: The name of the user who triggered the action.
User Role: for example, root or admin.
Event Name: The name of the event that occurred.
Status: The status of the event that occurred: success or failure.
Event Info: Information about the event.
Description
Zone You can audit zone event configuration changes, but not the actual
values that were changed. For example, you may receive a message
that states "Zone configuration has changed," but the message
does not display the actual values that were changed.
Security Security: You can audit any user-initiated security event for all
management interfaces. For events that have an impact on the
entire fabric, an audit is only generated for the switch from which the
event was initiated.
Configuration Configuration: You can audit configuration downloads of existing
SNMP configuration parameters. Configuration uploads are not
audited.
Firmware You can audit configuration downloads of existing SNMP
configuration parameters. Configuration uploads are not audited.
Fabric You can audit Administration Domain related changes.
"System Logging Daemon
Fabric OS Message Reference
53-1000600-01