Subscribe

Get-NaSystemLog -AuditLog - no Output

Hi all,

I tried to read the AuditLog from a NetApp VFiler:

In my Windows-Environment over "mmc eventvwr.msc /computer=<Servername>"i can see many entries for eg.:

Success Audit 18.97.2012 09:31:26 Security Logon/Logoff 538 Username Servername ....

Success Audit 18.97.2012 09:29:26 Security Object Access 562 Username Servername ....

  

Over "Get-Eventlog" i got the following:

    PS >Get-Eventlog -Logname "Security" -computer <Servername>

       Index Time          EntryType   Source                 InstanceID Message

       ----- ----          ---------   ------                 ---------- -------

        4388 Jul 18 09:40  SuccessA... Security                      540 The description for Event ID '540' in Source 'Security' cannot be found.  The local com

        4387 Jul 18 09:37  SuccessA... Security                      538 The description for Event ID '538' in Source 'Security' cannot be found.  The local com

Now i tried the following in PowerShell:

    PS >import-module DataONTAP

    PS >$Controller = Connect-NaController <Servername> -cred <Domain>\<User> # <Domain>\<User> is local Admin on Netapp

    PS >$Controller

    Name                 Address           Ontapi   Version

    ----                 -------           ------   -------

    <Servername>         <ServerIP>         1.14     NetApp Release 7.3.6: Thu Jul  7 01:48:12 PDT 2011 Multistore

    . . .

    . . .

    PS >Get-NaSystemLog -AuditLog -Controller $Controller

    PS >

    PS >

    PS >whoami

    <Domain>\<User>   

    PS >

    PS >

What's wrong? There is no Output for Get-NaSystemLog -AuditLog .....

I want to read out and archive all entries in Security-Folder of the eventvwr because of security responsibility...

Can anybody help?

Greetings

Matthias

Re: Get-NaSystemLog -AuditLog - no Output

Hi Matthias,

Get-NaSystemLog -AuditLog parses the auditlog from /etc/log/.  It appears you are connected to a vfiler.  As far as I know, the controller does not keep separate auditlogs for vfilers, which explains why you see no output (the /etc/log/auditlog file does not exist in the vfiler context).  If you have access to the pfiler, you can filter the results of Get-NaSystemLog -AuditLog to get entries from the vfiler you are interested in with something like this:

PS C:\> $vfiler = "donaghy"

PS C:\> Get-NaSystemLog -AuditLog | where { $_.Event -like "$($vfiler)@*" }

TimeStampDT            Source           Severity Keyword  Target               Value

-----------            ------           -------- -------  ------               -----

6/18/2012 8:37:19 AM                    debug    NEW      $/etc/registry.local options.if.ns0.broadcast:192.168.0.255

6/18/2012 8:37:19 AM                    debug    NEW      options.if.ns0.br... 192.168.0.255

7/23/2012 2:38:59 PM                    debug    AUTH     error                Login failed for user root from IP 19...

7/23/2012 2:39:05 PM                    debug    AUTH     error                Login failed for user root from IP 19...

7/23/2012 2:39:09 PM                    debug    AUTH     error                Login failed for user root from IP 19...

7/23/2012 2:39:13 PM                    debug    API      http in              <netapp version='1.0' xmlns='http://w...

7/23/2012 2:39:13 PM                    debug    API      http in              <netapp version='1.0' xmlns='http://w...

Note:  this will not display log entries for CLI commands or API calls that are tunneled to the vfiler.

Hope that helps!

-Steven

Re: Get-NaSystemLog -AuditLog - no Output

Thank you Steven, for your Reply.

Yes, you are right. I want to get the the auditlog for a VFiler.

With the PowerShell-Command Get-Eventlog -Logname "Security" -computer <VFiler> i get the Security log from my VFiler. But the format is not right.

Look here:

   Index Time          EntryType   Source                 InstanceID Message

   ----- ----          ---------   ------                 ---------- -------

    4520 Aug 13 07:50  SuccessA... Security                      540 The description for Event ID '540' in Source 'Security' cannot be found.  The local computer may not have the necessary registry information or message DLL files to
                                                                                                display the message, or you may not have permission to access them.  The following information is part of the event:
                                                                                                'MyAdminAccount', 'MyDomain', '(0x0, 0x145f)', '3', 'Data ONTAP', 'Extended Security', '-', '-', '-', '-', '-', '327936', '-', 'ServerIP', '0', '-'

    4519 Aug 13 07:50  SuccessA... Security                      538 The description for Event ID '538' in Source 'Security' cannot be found.  The local computer may not have the necessary registry information or message DLL files to
                                                                                                display the message, or you may not have permission to access them.  The following information is part of the event:
                                                                                                'MyAdminAccount', 'MyDomain', '(0x0, 0x145d)', '3'

    4518 Aug 13 07:25  SuccessA... Security                      540 The description for Event ID '540' in Source 'Security' cannot be found.  The local computer may not have the necessary registry information or message DLL files to
                                                                                                display the message, or you may not have permission to access them.  The following information is part of the event:
                                                                                                 'MyAdminAccount', 'MyDomain', '(0x0, 0x145d)', '3', 'Data ONTAP', 'Extended Security', '-', '-', '-', '-', '-', '327936', '-', 'ServerIP', '0', '-'

The Message seems not to be in the right format...

With the Eventvwr.msc connected to my VFiler i can see the right Informations:

If i try to get the Information over "Get-NaSystemLog -AuditLog" there is no Output.

The informations over the Filer as you describe are not the informations that i need...

Any ideas?

Greetings

Matthias

Re: Get-NaSystemLog -AuditLog - no Output

Unless I'm misunderstanding.. I agree with Beam.  There is no audit log on the vfiler.  All logs reside on the controller's /etc$ directory   The get-nasystemlog will query the logs in the etc$ on the filer themself.