Subscribe

Auditing login events - forward to EMS?

Hello,

 

I've researched this issue about every way I know how, but have not had much luck.  Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk.  That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:

 

security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential

sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)

 

We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally.  A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.

 

So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success?  I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...

 

Thanks in advance!

Chris

Re: Auditing login events - forward to EMS?

HI,

 

 

i  have manged to successfully forward syslogs, but haven not attempted audit logs.

 

 

give teh below command a shot

event notification destination create -name eu-audit -
-email -syslog -rest-api-url
-certificate-authority -certificate-serial

 

let me know if you make any progress.

 

regards,

Mani