60 Fabric OS Administrator’s Guide
53-1001763-02
Audit log configuration
3

Auditable event classes

Before configuring an audit log, you must select the event classes you want audited. The audit log
includes:
SEC-3001 through SEC-3017
SEC-3024 through SEC-3029
ZONE-3001 through ZONE-3012
Table 7 identifies auditable event classes and the auditCfg command operands used to enable
auditing of a specific class.
NOTE
Only the active CP can generate audit messages because event classes being audited occur only on
the active CP. Audit messages cannot originate from other blades in an enterprise-class platform.
Audit events have the following message format:
AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User
ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,/<FID>,
<Reserved>,<Event-specific information>
Switch names are logged for switch components and enterprise-class platform names for
enterprise-class platform components. For example, an enterprise-class platform name may be
FWDL or RAS and a switch component name may be zone, name server, or SNMP.
Pushed messages contain the administrative domain of the entity that generated the event. Refer
to the Fabric OS Message Reference for details on message formats. For more information on
setting up the system error log daemon, refer to the Fabric OS Troubleshooting and Diagnostics
Guide.

Verifying host syslog prior to configuring the audit log

Audit logging assumes that your syslog is operational and running. Before configuring an audit log,
you must perform the following steps to ensure that the host syslog is operational.
TABLE 7 AuditCfg event class operands
Operand Event class Description
1 Zone Audit zone event configuration changes, but not the actual values that were
changed. For example, a message may state, “Zone configuration has
changed,” but the syslog does not display the actual values that were changed.
2 Security Audit any user-initiated security events for all management interfaces. For
events that have an impact on an entire fabric, an audit is generated only for
the switch from which the event was initiated.
3 Configuration Audit configuration downloads of existing SNMP configuration parameters.
Configuration uploads are not audited.
4 Firmware Audit firmware download start, firmware complete, and any other errors
encountered during a firmware download.
5 Fabric Audit administrative domain-related changes.