topic Re: Syslog not sending Logon Alerts in ONTAP Discussions

Syslog not sending Logon Alerts

PKROETSCH — Thu, 05 Jun 2025 05:52:34 GMT

Hello,

I am required for compliance to track all user account activity. Therefore I need to track logon/logoff and login failures.

I have syslog configured on my filer but it only sends login failure messages out through syslog. Here is my syslog config.

Any help would be appreciated.

Thanks,

# $Id: //depot/prod/DOT/R8.0.3x/ontap/files/syslog.conf.sample#1 $

# Sample syslog.conf file. Copy to /etc/syslog.conf to use.

# You must use TABS for separators between fields.

# Log messages of priority info or higher to the console and to /etc/messages

*.info /dev/console

*.info /etc/messages

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost

# *.err;kern.* @adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local7 facility of the

# syslogd on a remote host, e.g. adminhost.

# *.err;kern.* local7.*@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost,

# at priority debug.

# *.err;kern.* *.debug@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local5 facility of the

# syslogd on a remote host, e.g. adminhost, at priority info.

# *.err;kern.* local5.info@adminhost

#Remote logging to LEM

#*.info local7.*@XXX.XXX.XXX.XXX

#AUTH

#*.* @xxx.XXX.XX.XX

#authpriv.* local7.*@XXX.XXX.XX.XX

#kern.info local7.*@XXX.XXX.XX.XX

*.info @xxx.XXX.XX.XX

auth.debug @xxx.XXX.XX.XX

authpriv.debug @xxx.XXX.XX.XX

kern.info @xxx.XXX.XX.XX

50 Views
Tags: none (add)

Re: Syslog not sending Logon Alerts

DAVE_WITHERS — Mon, 07 Oct 2013 13:31:12 GMT

I believe you need to have options auditlog.enable on

This will log all login attempts/commands/failures in /etc/log/auditlog.

Then I believe adding local7.* @1.2.3.4in your syslog config will get it logging to your aggregator

Syslog not sending Logon Alerts

PKROETSCH — Fri, 11 Oct 2013 16:46:50 GMT

That logs it into the auditlog but it does not send it out through syslog.

Re: Syslog not sending Logon Alerts

DAVE_WITHERS — Tue, 15 Oct 2013 17:55:53 GMT

adding the local7 option in your syslog.conf SHOULD forward the auditlog to the syslog server.

Re: Syslog not sending Logon Alerts

PKROETSCH — Tue, 15 Oct 2013 18:52:26 GMT

This is the current configuration...and It is not sending....

*.info local7.*@XXX.XXX.XX.XX

auth.debug local7.*@XXX.XXX.XX.XX

authpriv.debug local7.*@XXX.XXX.XX.XX

kern.info local7.*@XXX.XXX.XX.XX

Re: Syslog not sending Logon Alerts

JIM_SURLOW — Mon, 20 Jan 2014 22:44:43 GMT

Try, on the filer:

local7.debug @w.x.y.z

Then you should see it at the remote syslog server.

Re: Syslog not sending Logon Alerts

PKROETSCH — Mon, 27 Jan 2014 14:17:55 GMT

Thank you that worked.