View the audit log

The storage system audit records include all actions that are taken on that storage system.

Prerequisites

Audit logs can be large, therefore the list view opens prefiltered to display the last 7 days of data. You are warned that the operation may take a long time when you attempt to retrieve audit log records for a time period of greater than 7 days.

See Roles and associated permissions to determine the user roles that can perform this task.

About this task

The storage system audit records come from the SYMAPI database and include all actions that are taken on that storage system. The audit log resides on the storage system and has a maximum size of 40 MB. Once the 40 MB limit is reached, the log begins to overwrite itself.

The audit log message catalog is a catalog of the audit messages that Solutions Enabler writes to storage systems. A new, standardized audit format has been adopted for storage systems running PowerMaxOS 10 (6079). You can request that this new format is used (instead of the legacy format) on storage systems running HYPERMAX OS 5977 or PowerMaxOS 5978 (see Set system attributes).

Multiple audit records that were previously split up due to a long log message are now combined into a single record.

Beginning in release 9.2, operations that are performed using the Unisphere UI have been added to the audit log. These operations include the following:

  • Performance registration enabled
  • Performance registration disabled
  • CloudIQ data collection enable
  • CloudIQ data collection disable
  • Delete Alert
  • Changes to Job Schedule
  • Delete Job
  • Local User Added
  • Local User Deleted
  • Authentication disabled
  • LDAP/AD Details modified
  • Enable Alert Policy
  • Disable Alert Policy
  • Delete Compliance Alert Policy
  • Edit Compliance Alert Policy
  • Disable System Alert Threshold
  • Delete System Alert Threshold
  • Edit System Alert Threshold
  • Create Performance Alert Threshold
  • Edit Performance Alert Threshold
  • System Alert Level Change
  • Performance Alert Level Change

Audit log records can also be queried using the REST API.

To view the system audit log:

Steps

  1. Select the storage system.
  2. Select Events > Audit Log.

    The following properties are displayed:

    • Record—Unique identifier for the audit entry
    • Date—Date that the audit entry was made.
    • Application—Application operating on the storage system
    • Action Code—Specific audit code for the operation on the storage system
    • Username—Username for the user operating on the storage system
    • User Type—User type of the user operating on the storage system
    • Log Message—Message that is logged
    • Audit Class—Audit class
    • Host Name—Host name
    • OS Type—Operating system running on the host
    • Activity ID—Activity ID for audit record

    Select a record and click Details icon to view additional properties.

    The following properties are displayed:

    • Record Number—Unique identifier for the audit record
    • Text—Information that is associated with the record.
    • Time—Date and time the audit entry was made.
    • Application ID—ID of application operating on the storage system
    • Username—User name for the user operating on the storage system
    • Audit Class—Generic audit category for the operation on the storage system, for example, security
    • Action Code—Specific audit code for the operation on the storage system
    • Host Name—Host operating on the storage system
    • Records in Seq—A sequence of audit records represents one storage system operation. This property is the total number of records in this particular audit sequence.
    • Offset in Seq—Audit entry number within the audit sequence
    • Application Version—Version of the application operating on the storage system
    • API Library—SYMAPI library type
    • API Version—SYMAPI library type
    • OS Name—Name of operating system running on the host
    • OS Revision—OS revision
    • Client Host—Client/Server only
    • Activity ID—Activity ID for audit record
    • Process ID—ID of the process that logged the record
    • Task ID—ID of the task that logged the record

    The audit log records can be filtered in the following manner:

    • Date and Time
      • All
      • Today
      • Yesterday
      • Last 7 days
      • Last 30 days
      • This Month
      • Last Month
      • Custom Range
    • Application Type
      • All
      • application type
    • Username
      • All
      • user ID
    • More
      • Change Control Window
      • User Type
      • Action Code
      • OS Type
      • Host Name
      • Device Group
      • Director Name
      • Director Port
      • Initiator Group
      • Masking View
      • Port
      • Port Group
      • Service Level
      • Snapshot Policy
      • SRDF Group
      • Storage Container
      • Storage Group
      • Storage Resource Pool
      When any of the items under More are selected, a new filter is displayed which allows you to select all or one or more specific instances of the item on which to filter.

    The logs can be searched by entering a search phrase and clicking Search.

    The filters can be cleared individually. In addition, all filters can be cleared.

    To export all or a selection of audit log records, click ExportExport the audit log.