Subscribe

Filter Audit Log

Hey all,

 

I've been wondering if anyone has a way to filter out audit log information.  I've currently got the following set:

 

cluster1::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              off

    ONTAPI:    on                              off

    SNMP:      on                              off

 

and I'm forwarding it off to syslog with:

 

cluster log-forwarding create -destination logserver -port 514 -facility user

 

but I'm getting a lot of system level console messages.  These also appear in /etc/mroot/log/auditlog as command like this:

 

Fri Feb 12 16:49:53 PST [node3:rshd_1:debug]: cluster1%root%admin@[127.0.10.1_711]:IN:node shell:RSH INPUT COMMAND is priv set -q diag ; rdfile /etc/registry

 

These seem to be background tasks the filer is performing.  Is there a way to NOT forward debug auditlog messages so I don't get a lot of noise in my syslog information?

Re: Filter Audit Log

Hi,

 

You can disable audit logging in Cluster Data ONTAP using security audit command. Refer https://library.netapp.com/ecmdocs/ECMP1366832/html/security/audit/modify.html

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Filter Audit Log

I'm not sure this is quite what I'm looking for.  I know I can enable / disable cli and api.  I want both ssh and api logs but what I don't want are console logs, or at least the system generated ones.

Re: Filter Audit Log

Some further reading in the 8.3 manual (https://library.netapp.com/ecm/ecm_download_file/ECMP12458569) which states "cluster log-forwarding" will send everything in command-history.log file.  That log file is not affected by "security audit modify" and it looks like you can't tune what goes in there.

 

You can tune what goes into mgwd.log with "security audit modify" but that isn't going to help much here.

 

So, it looks like, at least for now, there's no way to limit the output.