Managing audit log reports – HP StoreAll Storage User Manual
Page 302
Monitor the space used by the audit logs and reports in the
tree, which includes current metadata and the audit log history. To reduce the space used, reduce
the number of events enabled for auditing and/or shorten the time specified in the Audit Log
Expiration Policy box.
Managing audit log reports
Audit log reports include metadata for selected file system events that occurred during a specific
time period. To generate an audit log report, click Run a Report on the Audit Log panel. Specify
the parameters for the report on the Run an Audit Log Report dialog box:
Table 33 Fields on the Audit Log Report dialog box
Description
Field
Select one of the following options:
Sort Order
•
Sort By Timestamp. Lists all events ordered by timestamp.
•
Sort By Pathname. Lists all file events ordered by file name.
•
Unsorted. Lists all events without using any sort order.
Select the desired start date for the audit logs.
Start Date
Select the desired end date for the audit logs.
End Date
Select audit logs for files within the given absolute file path. The mount point
must be omitted.
File Path
Identifies the events that are either disabled or enabled. When auditing in
first enabled, all events are disabled by default. You can manage events as
follows:
Disabled Events and Enabled Events
•
Click the double right arrow to move all events from the Disabled Events
box to the Enabled Events box.
•
Click the double left arrow to move all events from the Enabled Events
box to the Disabled Events box.
•
Select an individual event in either box and click the appropriate single
arrow (left or right) to either enable or disable it.
•
Select a category of events to move all of the events in that category to
the Enabled Events box. See
for the list of events by
category.
When generating audit log reports, consider the following guidelines:
•
Although you can select any of the events for a report, an event must be selected for auditing
to appear in the report. Use ibrix_fs -A or the Modify Audit Settings dialog box to change
the events selected for auditing.
•
Directory rename events are displayed as a file rename events in the audit log reports. For
example, if you rename directory_a to directory_b, the audit log reports display the event as
follows:
Event: FILE_RENAMED PATHNAME= directory_b
•
If the NFS clients receives the requested data from its own cache, the read operation is not
logged in the audit report.
•
Attempts to violate access permissions are not audited. For example, any attempts to read,
modify or delete a file outside of a user's permissions will fail, and the attempts will not be
logged in the audit log report.
•
If auditing is enabled and the file system segment is full, most operations will fail, returning
error code "-28 (ENOSPC)" to the application. Because events cannot be logged, the operations
are blocked. The only operations permitted in this situation are Read, Unlink, and RmDir.
These operations will complete, but no logging of these events will occur in the audit log or
302 Express Query