Audit Log Management

The audit log keeps records of all user-initiated non-read operations performed on the array, and which user performed the operation. You can search the audit log by activity and object type, name or both. You can also filter the audit log by time range, username, activity category, and access type. Administrators can view the audit log in a summary table with faceted browsing by time, activity category, and across access type.

Audit logging has changed from version 2.2.3.0, including which operations are audited, and syslog message format. Operations are not audited on non-group leader arrays, or on the standby controller of the group leader array, to which only the root user has access. In addition, console logout is not audited. Operations cannot be logged before the group is set up, which is when audit logging begins.

Audit logs, along with alerts, are posted to a syslog server if one is configured, using the following format:

Jan 22 17:51:01 sjc-b11-va-B NMBL: Group:group-sjc-b11-va Type:2001 Time:Thu Jan 22 17:51:01 2015#012 Id:275 Object Id:- Object:vol-10 Access Type:pam Client IP:10.20.20.248 Status:Succeeded

Audit log messages are not sent through emails, SNMP traps, or to InfoSight in real time. However, error messages for failed operations are converted to HTTP-like errors.

Audit logs are merged during a group merge, beginning with the users. Users from the source group are remapped to new users in the destination group. After the users are merged, the audit logs are merged.

The audit log is automatically purged. When the count reaches 21,000, an alert is sent warning that a purge will occur when the count reaches 24,000. At 24,000 messages, the oldest 5000 messages are purged (the most recent 19,000 log entries are kept).