ONTAP Discussions

Where is the audit log for the cluster?

bbjholcomb
22,902 Views

When I login as diag I can see the node auditlogs but not the cluster. For example if I do node run -node xxx -command sysconfig, I see that in the log, if I do a snapmirror show command on the cluster management interface  I can't find it.

8 REPLIES 8

ackerman
22,901 Views

You want to look at command-history.log for the clustershell log.

You can see that with the 'debug log' command or by viewing the file directly from mroot.

Ross

bbjholcomb
22,901 Views

Thanks, but I still don't see all the commands I have using all day. I looked at others that were recent still nothing.

parisi
22,901 Views

The commands get logged to the node the commands were issued to. Command history log is not cluster-wide, but is node specific.

For example, my snapmirror command gets logged on the node I ran the command on:

parisi-cdot::*> node show local

                                              Node: parisi-cdot-01

                                             Owner:

                                          Location:

                                             Model: SIMBOX

                                     Serial Number: 4042835-97-0

                                         Asset Tag: -

                                            Uptime: 5 days 04:42

                                   NVRAM System ID: 4042835970

                                         System ID: 4042835970

                                            Vendor: NetApp

                                            Health: true

                                       Eligibility: true

                                           Epsilon: false

parisi-cdot::*> snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs

[Job 175] Job succeeded: SnapMirror: done

parisi-cdot::*> systemshell -node parisi-cdot-01

  (system node systemshell)

Data ONTAP/amd64 (parisi-cdot-01) (pts/2)

login: diag

Password:

Last login: Mon Sep  9 19:25:19 from localhost

Warning:  The system shell provides access to low-level

diagnostic tools that can cause irreparable damage to

the system if not used properly.  Use this environment

only when directed to do so by support personnel.

parisi-cdot-01% cd /mroot/etc/mlog

parisi-cdot-01% cat command-history.log* | grep snapmirror

00000005.00016ff7 00449c90 Mon Sep 09 2013 19:28:23 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Pending

00000005.00017066 00449ca9 Mon Sep 09 2013 19:28:29 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Success

parisi
22,901 Views

However, it does not appear that "show" commands get logged. Only commands where things were changed (same goes for vol show, aggr show, etc):

parisi-cdot::*> snapmirror show

                                                                       Progress

Source            Destination  Mirror  Relationship  Total             Last

Path        Type  Path         State   Status        Progress  Healthy Updated

----------- ---- ------------ ------- -------------- --------- ------- --------

parisi-cdot://nfs/rootvol

            LS   parisi-cdot://nfs/rootvol_LS1

                              Uninitialized

                                      Idle           -         -       -

parisi-cdot-01% cat command-history.log* | grep "snapmirror show"

parisi-cdot-01%

parisi-cdot-01% ngsh

parisi-cdot::> vol show

  (volume show)

Vserver   Volume       Aggregate    State      Type       Size  Available Used%

--------- ------------ ------------ ---------- ---- ---------- ---------- -----

nfs       ntfs         aggr1        online     RW        200MB    189.8MB    5%

nfs       rootvol      aggr1        online     RW         20MB    18.88MB    5%

nfs       rootvol_LS1  aggr2        online     LS        100MB    99.88MB    0%

nfs       unix         aggr2        online     RW        200MB    189.8MB    5%

parisi-cdot-01

          vol0         aggr0        online     RW       3.01GB     1.69GB   43%

parisi-cdot-02

          vol0         aggr0_parisi_cdot_02_0

                                    online     RW       3.01GB     1.72GB   42%

win2k3    ntfs         aggr2        online     RW        100MB    94.87MB    5%

win2k3    rootvol      aggr2        online     RW         20MB    18.88MB    5%

win2k3    unix         aggr1        online     RW        100MB    94.87MB    5%

9 entries were displayed.

parisi-cdot::> exit

Goodbye

parisi-cdot-01% cat command-history.log* | grep "vol show"

parisi-cdot-01%

parisi
22,902 Views

By default, "GET" requests are disabled:

parisi-cdot::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              off

    ONTAPI:    on                              off

    SNMP:      on                              off

If you want to audit for "show", enable it:

parisi-cdot::*> security audit modify -cliget on

parisi-cdot::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              on

    ONTAPI:    on                              off

    SNMP:      on                              off

However, those get logged to mgwd.log:

parisi-cdot-01% cat mgwd.log | grep "snapmirror show"

00000005.000170cc 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000170cf 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

00000005.000170e4 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000170e7 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

00000005.000171ca 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

00000005.000171df 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

bbjholcomb
22,901 Views

Thanks, this is great. Was this documented any place?

parisi
22,901 Views

Yep. Right in the admin guides.

https://library.netapp.com/ecm/ecm_download_file/ECMP1196798


page 173-174

bbjholcomb
22,901 Views

Thanks

Public