symmetrix auditing.

The solutions enabler keeps track of most of the Symmetrix commands in a log file. That will tell you of most of the activity. It's in the /var/symapi/log directory (or something close depending on your specific OS) on Unix. There will be a new file for each day.
If you want to know what EMC does when they secretly dial in to your Sym, you are out of luck. If that info exists, it would be on the service processor which is hands-off to customers. They apparently don't want the customers to know when they dial in or what they are doing in there.

Hello All,

Just two cents worth (from a hardware perspective). The "symaudit" command pulls its information directly from the Host Audit Log file located on the "Symmetrix File System" volumes. The "SFS" volumes are internal storage and an integral part of every Symmetrix 8000 (at 5568) and every DMX / DMX-3 system. Quoting from the DMX-3 Product Guide (available on Powerlink):

Enginuity stores an Audit Log in the SFS. This enables improved investigation, both at the system level and customer environment level. Symmetrix Audit Log collects and presents a chronological list of host-initiated Symmetrix actions and activities.

Manual activities (for example, physically removing/replacing a component) as well as automatically initiated scripts and EMC¿s Solutions Enabler activities (for example, TimeFinder or SRDF routines), are tracked and recorded in the SFS.

This provides a means to oversee and historically recall how and when a Symmetrix device is being used. Enginuity also expands capabilities for host applications built on SymmAPI¿. Earlier, host applications were allowed to make entries to a Symmetrix write-only buffer.

Audit Log features now enable Symmetrix ISVs and other service providers to use logged information for their own reporting purposes. The built-in system security in SymmAPI does not allow host applications to change audit logs. This reduces IOSQ (I/O Supervisor Queue Time) exposure and increases system performance.

A related command (for interogating the hardware) is the "symevent" command - this pulls information directly from the "non-volatile memory" of the actual Symmetrix director boards.

Also dial-up access to any Symmetrix can be controlled. While we (here in the EMC Support Centre) prefer immediate access to address problems you always have the ability to prevent dial-in without express permission....

Best Regards,
Michael.

The symaudit and symevent will also both tell you the commands that are run against the Sym by the users. However, neither will indicate when EMC remotely dials in and neither will tell you what EMC does while they are in there. There is a severe auditing/security issue concerning this.

Hi SysMgr,

Thanks. Yes, I understand your concern. You can certainly prevent EMC access to the Service Processor but once access is granted you don't, as far as I am aware, receive any ECC alerts that we (EMC Customer Support) have dialled in to correct a problem. We do have customers that specify or limit the type & class of commands that can be issued by EMC support without express System Administrator permission. But I don't think I can address your specific concern..... I assume Shenar's original has been answered so we should move this query to a new thread for additional comment & suggestions from EMC'ers AND customers with similar concerns......

Regards,
Michael.

Message was edited by:
mlee

Actually, the orignal question is not completely answered. The commands discussed only address commands issued by the users. It does not address commands issued by EMC while they are remotely connected.

Hi,

Did this topic get moved into another thread? We also have a requirement to see dialin activity as well as host initiated. We already have it set up that EMC have to ask us to dialin, but we need to see timestamped entries in the symaudit/symevent log for what gets done and when.

symaudit will give you a timestamped detail of what your users do on the hosts. I'm pretty sure that up to (including) code 5772 you can't see what our CS does on the SP. Maybe Michael can shade some light on 5773...