How To Verify Host Syslog Prior To Configuring The Audit Log - HP AA979A - StorageWorks SAN Switch 2/8V Administrator's Manual

Table 6 identifies auditable event classes and auditCfg operands used to enable auditing of a specific
class.
Table 6 AuditCfg Event Class Operands
Operand Event class
1 Zone
2 Security
3 Configuration
4 Firmware
5 Fabric
NOTE:
occur only on the active CP. Audit messages cannot originate from other blades in a chassis.
Audit events have the following message format:
AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP
address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific
information>
Switch names are logged for switch components and chassis names for chassis components. For example,
a chassis name might be FWDL or RAS and a switch component name might be zone, name server, or
SNMP.
Pushed messages contain the administration domain of the entity that generated the event. See the
OS Message Reference
page 267 for details on setting up the system error log daemon.
Audit logging assumes that your syslog is operational and running. Before configuring an audit log, you
must perform the following steps to ensure that the host syslog is operational and running.

How to verify host syslog prior to configuring the audit log

1. Set up an external host machine with a system message log daemon running to receive the audit events
that will be generated.
2. On the switch where the audit configuration is enabled, enter the syslogdipaddrAdd command to
add the IP address of the host machine so that it can receive the audit events.
3. Ensure the network is configured with a network connection between the switch and the remote host.
4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of
the audit messages.
52 Performing basic configuration tasks
Description
Audit zone event configuration changes, but not the actual values
that were changed. For example, you a message might state,
"Zone configuration has changed," but the syslog does not
display the actual values that were changed.
Audit any user-initiated security event for all management
interfaces. For events that have an impact on an entire fabric, an
audit is generated only for the switch from which the event was
initiated.
Audit configuration downloads of existing SNMP configuration
parameters. Configuration uploads are not audited.
Audit firmware download start, firmware complete, and any other
errors encountered during a firmware download.
Audit administrative domain-related changes.
Only the active CP can generate audit messages because event classes being audited
for details on message formats. See "Working with diagnostic
Fabric
features" on