Need help on finding source of "audit.log.event" events.
a week ago
For a few weeks now, our MC Eventlog gets "spammed" by these events:
notice audit.log.event Auditing error (Audit messages transmission resumed.) occurred at notice audit.log.event Auditing error (Audit messages started to drop. Reason = No buffer space available) occurred at
This "eventflood" happens several times a week and goes on for about two hours, with a total of ~2000 events during this time.
So far we've found that the process for this is "MGWD", but that's it. No further info on how to identify the source of this.
Has anyone else seen this?
Any hint would be much appreciated.
3 REPLIES 3
Can you check the
node run * ifstat -A
To see if it aligns with the following KB?
Do you have some syslog you sending audit messages to? What version of ONTAP you are running ?
Re: Need help on finding source of "audit.log.event" events.
a week ago
We're running Ontap 9.6P3 and "yes" we send the Ontap events to an elstac cluster, thats actually where we found out first about these events.
From your command, what counter would be of interest?
I believe "Transmit Queue Overflows" but need somehow to validate it's also increasing in times corresponding to the error. You can maybe dig it from ASUP emails or MyASUP site (https://mysupport.netapp.com/myautosupport/)
If you are using the e0M to send the traffic to the syslog and see that counter grow, try disable/enable the port as the article suggest, and for the long term you might need to add a node-mgmt LIF or move the existing one to more powerful port...