FAS and V-Series Storage Systems Discussions

Auditing login events - forward to EMS?




I've researched this issue about every way I know how, but have not had much luck.  Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk.  That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:


security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential

sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)


We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally.  A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.


So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success?  I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...


Thanks in advance!



Re: Auditing login events - forward to EMS?





i  have manged to successfully forward syslogs, but haven not attempted audit logs.



give teh below command a shot

event notification destination create -name eu-audit -
-email -syslog -rest-api-url
-certificate-authority -certificate-serial


let me know if you make any progress.




Earn Rewards for Your Review!
GPI Review Banner
All Community Forums