HP StorageWorks Fabric OS 5.3.x administrator guide (5697-0244, November 2009)

56 Performing basic configuration tasks
Audit events have the following message format:
Switch names are logged for switch components and chassis names for chassis components. For example,
a chassis name might be FWDL or RAS and a switch component name might be zone, name server, or
SNMP.
Pushed messages contain the administration domain of the entity that generated the event. See the
Fabric
OS Message Reference
for details on message formats. See ”Working with diagnostic features” on
page 293 for details on setting up the system error log daemon.
Audit logging assumes that your syslog is operational and running. Before configuring an audit log, you
must perform the following steps to ensure that the host syslog is operational and running.
How to verify host syslog prior to configuring the audit log
1. Set up an external host machine with a system message log daemon running to receive the audit events
that will be generated.
2. On the switch where the audit configuration is enabled, enter the syslogdipaddrAdd command to
add the IP address of the host machine so that it can receive the audit events.
3. Ensure the network is configured with a network connection between the switch and the remote host.
4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of
the audit messages.
How to configure an audit log for specific event classes
1. Connect to the switch from which you wish to generate an audit log and log in as admin.
2. Enter the auditCfg --class command, which defines the specific event classes to be filtered.
The auditCfg event class operands are identified in Table 6
3. Enter the auditCfg --enable command, which enables audit event logging based on the classes
configured in step 2.
To disable an audit event configuration, enter the auditCfg --disable command.
4. Enter the auditCfg --show command to view the filter configuration and confirm that the correct
event classes are being audited, and the correct filter state appears (enabled or disabled).
To verify the audit event log setup, make a change affecting an enabled event class, and confirm that
the remote host machine receives the audit event messages.
AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP
address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific
information>
switch:admin> auditcfg --class 2,4
Audit filter is configured.
switch:admin> auditcfg --enable
Audit filter is enabled.
switch:admin> auditcfg --show
Audit filter is enabled.
2-SECURITY
4-FIRMWARE