Re: Question about get-nasystemlog -auditlog

JGPSHNTAP · ‎2012-05-21

So, i needed to pull some information from the auditlog, so I wanted to put my powershell to work..

So, I queried something very simple...

get-nasystemlog -auditlog -starttime 5/21/2012 | ? {$_.value -like "*resize*"}

TimeStampDT	Source	Severity Keyword Target	Value
-----------	------	-------- ------- ------	-----
5/21/2012 8:09:10 AM filer	debug	IN	rsh shell	RSH INPUT COMMAND is priv set -q admin ; lun resize -f "/vol/vol1/qtlun/lun0" 500G ; result -l

But to my surprise, it didn't return any username data. I had to query the audit log directly with powershell to gather what I was looking for..

I did something like

gc auditlog | % {

(if $_ -like "*resize*" -or $_ -like "*reservation*")

Write-host $_

out-file -inputobject $_ -filepath c:\log.log -append

}

I'm just curious why i can't pull the usernames from the audit log with native cmdlets...

beam · ‎2012-05-21

I think what you are looking for is in the "EventSource" field:

Get-NaSystemLog -AuditLog -StartTime (Get-Date).AddHours(-2) | where { $_.Value -like "*resize*" } | select TimeStampDT, Severity, EventSource, Value

TimeStampDT Severity EventSource Value

----------- -------- ----------- -----

5/21/2012 4:27:55 PM debug root vol resize

-Steven

JGPSHNTAP · ‎2012-05-21

Yup beam, that's it.. damn, I shoulda dug through the properties deeper with get-member..

So.. Now, let's say I want to edit the default output of the cmdlet. Is that even advisable?

cknight · ‎2012-05-22

Now, let's say I want to edit the default output of the cmdlet. Is that even advisable?

Not sure what you mean. You can use Add-Member to add additional fields to the objects emitted by Get-NaSystemLog. Or you can change the values directly (they're just properties), but I'm not sure why you'd need to do that. You can provide a custom format for the data. Essentially, you can't change how the cmdlet works, but you can manipulate and display its output however you like.