Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Auditable events are generated by the switch and streamed to an external host through a configured
system message log daemon (syslog). You specify a filter on the output to select the event classes
that are sent through the system message log. The filtered events are streamed chronologically and
sent to the system message log on an external host in the specified audit message format. This
ensures that they can be easily distinguished from other system message log events that occur in the
network. Then, at some regular interval of your choosing, you can review the audit events to look for
unexpected changes.

Before you configure audit event logging, familiarize yourself with the following audit event log
behaviors and limitations:

• By default, all event classes are configured for audit; to create an audit event log for specific

events , you must explicitly set a filter with the class operand and then enable it.

• Audited events are generated specific to a switch and have no negative impact on performance.
• The last 256 events are persistently stored on the switch and are streamed to a system message

log.

• The audit log depends on the system message log facility and IP network to send messages from

the switch to a remote host. Because the audit event log configuration has no control over these
facilities, audit events can be lost if the system message log and IP network facilities fail.

• If too many events are generated by the switch, the system message log becomes a bottleneck and

audit events are dropped by the Fabric OS.

• If the user name, IP address, or user interface is not transported, "None" is used instead for each of

the respective fields.

• For High Availability, the audit event logs exist independently on both active and standby CPs. The

configuration changes that occur on the active CP are propagated to the standby CP and take
effect.

• Audit log configuration is also updated through a configuration download.

Before configuring an audit log, you must select the event classes you want audited.

NOTE
Only the active CP can generate audit messages because event classes being audited occur only on
the active CP. Audit messages cannot originate from other blades in a Backbone.

Switch names are logged for switch components and Backbone names for Backbone components. For
example, a Backbone name may be FWDL or RAS and a switch component name may be zone,
name server, or SNMP.

Pushed messages contain the administrative domain of the entity that generated the event. Refer to
the Fabric OS Message Reference for details on event classes and message formats. For more
information on setting up the system error log daemon, refer to the Fabric OS Troubleshooting and
Diagnostics Guide.

NOTE
If an AUDIT message is logged from the CLI, any environment variables will be initialized with proper
values for login, interface, IP and other session information. Refer to the Fabric OS Message
Reference for more information.

Verifying host syslog prior to configuring the audit log

Audit logging assumes that your syslog is operational and running. Before configuring an audit log,
you must perform the following steps to ensure that the host syslog is operational.

Verifying host syslog prior to configuring the audit log

92

Fabric OS Administrators Guide

53-1003130-01