Skip to main content

View audit log activity

By viewing audit logs, users with Security Admin permissions can monitor user actions, authentication failures, invalid login attempts, and the user session lifespan.

Before you begin

  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, the Access Management functions do not appear.
  1. Select Settings > Access Management .
  2. Select the Audit Log tab.

    Audit log activity appears in tabular format, which includes the following columns of information:
    • Date/Time – Timestamp of when the storage array detected the event (in GMT).
    • Username – The user name associated with the event. For any non-authenticated actions on the storage array, "N/A" appears as the user name. Non-authenticated actions might be triggered by the internal proxy or some other mechanism.
    • Status Code – HTTP status code of the operation (200, 400, etc.) and descriptive text associated with the event.
    • URL Accessed – Full URL (including host) and query string.
    • Client IP Address – IP address of the client associated with the event.
    • Source – Logging source associated with the event, which can be System Manager , CLI, Web Services, or Support Shell.
  3. Use the selections on the Audit Log page to view and manage events.

    Selection Details

    SelectionDescription
    Show events from the...Limit events shown by date range (last 24 hours, last 7 days, last 30 days, or a custom date range).
    FilterLimit events shown by the characters entered in the field. Use quotes ("") for an exact word match, enter OR to return one or more words, or enter a dash (–) to omit words.
    RefreshSelect Refresh to update the page to the most current events.
    View/Edit SettingsSelect View/Edit Settings to open a dialog box that allows you to specify a full log policy and level of actions to be logged.
    Delete eventsSelect Delete to open a dialog box that allows you to remove old events from the page.
    Show/hide columnsClick the Show/Hide column icon to select additional columns for display in the table.
    Additional columns include:
    • Method – The HTTP method (for example, POST, GET, DELETE, etc.).
    • CLI Command Executed – The CLI command (grammar) executed for Secure CLI requests.
    • CLI Return Status – A CLI status code or a request for input files from the client.
    • SYMbol Procedure – The SYMbol procedure executed.
    • SSH Event Type – Secure Shell (SSH) events type, such as login, logout, and login_fail.
    • SSH Session PID – Process ID number of the SSH session.
    • SSH Session Duration(s) – The number of seconds the user was logged in.
    Toggle column filtersClick the Toggle icon to open filtering fields for each column.

    Enter characters within a column field to limit events shown by those characters. Click the icon again to close the filtering fields.

    Undo changesClick the Undo icon to return the table to the default configuration.
    ExportClick Export to save the table data to a comma separated value (CSV) file.