Configuring The Audit Log; Auditable Event Classes - HP AE370A - Brocade 4Gb SAN Switch 4/12 Administrator's Manual

Configuring the audit log

When managing SANs, you may wish to filter, or audit, certain classes of events to ensure that you can
view and generate a paper trail, or "audit log," for what is happening on a switch, particularly for security
elated event changes. These events include login failures, zone configuration changes, firmware
downloads, and other configuration changes—in other words—critical changes that have a serious effect
on the operation and security of the switch.
Important information related to event classes is also tracked and made available. For example, you can
track changes from an external source via user name, IP address, or type of management interface used to
access the switch.
Auditable events are generated by the switch and streamed to an external host through a configured
system message log daemon (syslog). You specify a filter on the output to select the event classes that are
sent through the system message log. The filtered events are streamed chronologically and sent to the
system message log on an external host in the specified audit message format. This ensures that they can
be easily distinguished from other system message log events that occur in the network. Then, at some
regular interval of your choosing, you can review the audit events to look for unexpected changes.
Before you configure audit event logging, familiarize yourself with the following audit event log behaviors
and limitations:
• By default, all event classes are configured for audit; to create an audit event log for specific events,
you must explicitly set a filter via the class operand and then enable it.
• Audited events are generated specific to a switch and have no negative impact on performance.
• All Secure Fabric OS event are audited.
• Events are not persistently stored on the switch but are streamed to a system message log.
• The audit log depends on the system message log facility and IP network to send messages from the
switch to a remote host. Because the audit event log configuration has no control over these facilities,
audit events can be lost if the system message log and IP network facilities fail.
• If too many events are generated by the switch, the system message log will become a bottleneck and
audit events will be dropped by the Fabric OS.
• If the user name, IP address, or user interface is not transported an audit message is logged by adding
the message None to each of the respective fields.
• For High Availability, the audit event logs exist independently on both active and standby CPs. The
configuration changes that occur on the active CP are propagated to the standby CP and take effect.
• Audit log configuration is updated via a configuration download.
See the Fabric OS Command Reference Manual for more information about the auditCfg command and
command syntax.

Auditable Event Classes

You configure the audit log using the auditCfg command. Before configuring an audit log, you must
select the event classes you want audited. When enabled, the audit log feature audits any RASLOG
messages (system message log) previously tagged as AUDIT in Fabric OS v5.1.0, which includes:
• SEC-3001 through SEC-3017
• SEC-3024 through SEC-3029
• ZONE-3001 through ZONE-3012
Fabric OS 5.2.x administrator guide 51