2012-08-28 05:06 AM
I read in the sysadmin guide that the messages and auditlog are rotated weekly and maintained for 6 weeks. Is there any way to change it from 6 to something higher?
For messages we could configure syslog to send them to a loghost and keep longer retention there, but for auditlog I can’t think of a solution that doesn’t involve some scripting.
Any ideas? Maybe something on the OnCommand server that collects and maintains files for a longer period?
2012-08-28 09:06 PM
I think auditlog is rotated by size...
Scripting may be the only solution for long term retention to avoid filling root up.
OnCommand gathering security logs sounds good, though I think it creates most of the entries in there as it monitors....
2012-08-29 01:45 AM
My understanding is Data ONTAP keeps the last 6 auditlogs. The auditlog is rotated weekly OR when the auditlog.max_file_size is reached. So adjusting the auditlog.max_file_size won't help...
I guess I'll investigate fetching the log weekly over the API or CIFS, or maybe use PowerShell. With PowerShell it looks like I could either get the formatted logs periodically using Get-NaSystemLog, or the raw log using Read-NaFile.