Community

Subscribe
Highlighted

Where is the audit log for the cluster?

When I login as diag I can see the node auditlogs but not the cluster. For example if I do node run -node xxx -command sysconfig, I see that in the log, if I do a snapmirror show command on the cluster management interface  I can't find it.

Re: Where is the audit log for the cluster?

You want to look at command-history.log for the clustershell log.

You can see that with the 'debug log' command or by viewing the file directly from mroot.

Ross

Re: Where is the audit log for the cluster?

Thanks, but I still don't see all the commands I have using all day. I looked at others that were recent still nothing.

Re: Where is the audit log for the cluster?

The commands get logged to the node the commands were issued to. Command history log is not cluster-wide, but is node specific.

For example, my snapmirror command gets logged on the node I ran the command on:

parisi-cdot::*> node show local

                                              Node: parisi-cdot-01

                                             Owner:

                                          Location:

                                             Model: SIMBOX

                                     Serial Number: 4042835-97-0

                                         Asset Tag: -

                                            Uptime: 5 days 04:42

                                   NVRAM System ID: 4042835970

                                         System ID: 4042835970

                                            Vendor: NetApp

                                            Health: true

                                       Eligibility: true

                                           Epsilon: false

parisi-cdot::*> snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs

[Job 175] Job succeeded: SnapMirror: done

parisi-cdot::*> systemshell -node parisi-cdot-01

  (system node systemshell)

Data ONTAP/amd64 (parisi-cdot-01) (pts/2)

login: diag

Password:

Last login: Mon Sep  9 19:25:19 from localhost

Warning:  The system shell provides access to low-level

diagnostic tools that can cause irreparable damage to

the system if not used properly.  Use this environment

only when directed to do so by support personnel.

parisi-cdot-01% cd /mroot/etc/mlog

parisi-cdot-01% cat command-history.log* | grep snapmirror

00000005.00016ff7 00449c90 Mon Sep 09 2013 19:28:23 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Pending

00000005.00017066 00449ca9 Mon Sep 09 2013 19:28:29 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Success

Re: Where is the audit log for the cluster?

However, it does not appear that "show" commands get logged. Only commands where things were changed (same goes for vol show, aggr show, etc):

parisi-cdot::*> snapmirror show

                                                                       Progress

Source            Destination  Mirror  Relationship  Total             Last

Path        Type  Path         State   Status        Progress  Healthy Updated

----------- ---- ------------ ------- -------------- --------- ------- --------

parisi-cdot://nfs/rootvol

            LS   parisi-cdot://nfs/rootvol_LS1

                              Uninitialized

                                      Idle           -         -       -

parisi-cdot-01% cat command-history.log* | grep "snapmirror show"

parisi-cdot-01%

parisi-cdot-01% ngsh

parisi-cdot:Smiley Embarassed vol show

  (volume show)

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

--------- ------------ ------------ ---------- ---- ---------- ---------- -----

nfs       ntfs         aggr1        online     RW        200MB    189.8MB    5%

nfs       rootvol      aggr1        online     RW         20MB    18.88MB    5%

nfs       rootvol_LS1  aggr2        online     LS        100MB    99.88MB    0%

nfs       unix         aggr2        online     RW        200MB    189.8MB    5%

parisi-cdot-01

          vol0         aggr0        online     RW       3.01GB     1.69GB   43%

parisi-cdot-02

          vol0         aggr0_parisi_cdot_02_0

                                    online     RW       3.01GB     1.72GB   42%

win2k3    ntfs         aggr2        online     RW        100MB    94.87MB    5%

win2k3    rootvol      aggr2        online     RW         20MB    18.88MB    5%

win2k3    unix         aggr1        online     RW        100MB    94.87MB    5%

9 entries were displayed.

parisi-cdot:Smiley Embarassed exit

Goodbye

parisi-cdot-01% cat command-history.log* | grep "vol show"

parisi-cdot-01%

Re: Where is the audit log for the cluster?

By default, "GET" requests are disabled:

parisi-cdot::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              off

    ONTAPI:    on                              off

    SNMP:      on                              off

If you want to audit for "show", enable it:

parisi-cdot::*> security audit modify -cliget on

parisi-cdot::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              on

    ONTAPI:    on                              off

    SNMP:      on                              off

However, those get logged to mgwd.log:

parisi-cdot-01% cat mgwd.log | grep "snapmirror show"

00000005.000170cc 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000170cf 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

00000005.000170e4 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000170e7 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

00000005.000171ca 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000171df 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

Re: Where is the audit log for the cluster?

Thanks, this is great. Was this documented any place?

Re: Where is the audit log for the cluster?

Yep. Right in the admin guides.

https://library.netapp.com/ecm/ecm_download_file/ECMP1196798


page 173-174

Re: Where is the audit log for the cluster?

Thanks