Auditing with the VMAX Content Pack v1.5.1

So I’ll start by noting that you may have seen some of my other blog posts on my friend and colleague’s site codyhosterman.com.  Cody has moved into a new group and role at EMC and as a result he will be working on lots of different technologies as evidenced by some of his recent posts on ScaleIO.  Because of that I thought it would be less confusing if I posted items related to Symmetrix and VMware here since my role has not changed and I’ll be updating the associated content (e.g. whitepapers and TechBooks) and posting blog updates about them.  Now to the the current post…

Last summer I created a VMAX Content Pack for VMware Log Insight.  I blogged about it, including introducing a new version in January (The VMAX Content Pack v1.5 for VMware vCenter Log Insight v1.5) of this year.  Though I feel that version encompasses most of what both Unisphere and Solutions Enabler has to offer in logs, the one area missing was always the auditing logs that the Symmetrix generates.  No more.  I have updated the content pack to now handle auditing information.

First, if the content pack is new to you, I highly recommend reading through my previous blog posts (the most recent linked above) as I will only be covering the new information here.  So auditing…in addition to using the event daemon and Unisphere logs with Log Insight, there is another area where log entries are generated:  auditing.  Every action made on the VMAX is recorded on the array in a special internal location.  The secure audit log contains a record of configuration changes, security alarms, service operations, and security-relevant actions maintained on each Symmetrix array. Records are written to this by Solutions Enabler, software running on the Service Processor, and the Enginuity™ Operating Environment.  There are two ways to present auditing information to Log Insight:  the event daemon and the symaudit command.  I’m briefly going to show the difference in the formats but both methodologies are detailed in my whitepaper (Using the EMC VMAX Content Pack for VMware vCenter Log Insight).

Using the event daemon is the easier of the two ways to send audit logs to Log Insight.  Although not well documented, there is another category that can be added to the daemon_options file.  The category is “audit” and the entry needs to include the Symmetrix array even if the array is not being specified for the other categories (bolded at the end):

storevntd:LOG_SYMMETRIX_EVENTS = status, groups, optimizer, events, array subsystem, checksum, 
diagnostic, environmental, device pool, service processor, srdf system, srdf link, srdfa 
session, srdf consistency group, director, device, disk, smc, spa, sid=0001987000xx,audit;\

An audit record using this method will appear this way in Log Insight:

abbreviated_audit_nofieldClick to enlarge in new tab

Using this log entry, I created user-defined fields for each of the values so that if you are using the v1.5.1 content pack the entry will look like this:

abbreviated_audit_recordClick to enlarge in new tab

Now, the other alternative to using the event daemon is to use symaudit.  The drawback with this method is that a third-party software is needed to forward the logs to Log Insight.  I go into detail on how to do that in the paper so let me just show you how the log entry appears:

long_audit_record_nofield Click to enlarge in new tab

Using this log entry, I also created user-defined fields for each of the values so that if you are using the v1.5.1 content pack the entry will look like this:

long_audit_recordClick to enlarge in new tab

So comparing the two log entries one can see the difference in detail.  The good news is since user-defined fields exist for both types of log formats, you can use either one (or both in my case).  The final update to the content pack is an audit dashboard for these logs.  Currently there is a single dashboard for auditing information.  Unlike the base content pack and the information it displays, auditing information does not lend itself well to many different kinds of widgets (graphs).  Therefore this dashboard includes 2 widgets for event daemon audit entries and 2 widgets for symaudit entries.

audit_dashboardClick to enlarge in new tab

I hope the new audit information is useful for some of our customers.  Remember the content pack is free so give it a shot.  Special thanks to Steve Flanders (sflanders.net) for keeping me, well, compliant.  Links are below.

All versions of the VMAX Content Pack can be found here:

https://solutionexchange.vmware.com/store/products/emc-vmax-content-pack

Check out the white paper here:

http://www.emc.com/collateral/white-papers/h12138-emc-vmax-content-pack-vmware-loginsight-wp.pdf

Advertisements

4 thoughts on “Auditing with the VMAX Content Pack v1.5.1

  1. Pingback: Cody Hosterman | The VMAX Content Pack v1.5 for VMware vCenter Log Insight v1.5

  2. Pingback: Cody Hosterman | Using VMware vCenter Log Insight with Symmetrix VMAX

  3. Pingback: VMAX Content Pack 2.0 for VMware Log Insight 2.0 | Drew Tonnesen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s