Increasing retention of messages file and auditlog

madden · ‎2012-08-28

I read in the sysadmin guide that the messages and auditlog are rotated weekly and maintained for 6 weeks. Is there any way to change it from 6 to something higher?

For messages we could configure syslog to send them to a loghost and keep longer retention there, but for auditlog I can’t think of a solution that doesn’t involve some scripting.

Any ideas? Maybe something on the OnCommand server that collects and maintains files for a longer period?

Thanks,
Chris

mglanville2 · ‎2012-08-28

I think auditlog is rotated by size...

https://kb.netapp.com/support/index?page=content&id=1011104

Scripting may be the only solution for long term retention to avoid filling root up.

OnCommand gathering security logs sounds good, though I think it creates most of the entries in there as it monitors....

madden · ‎2012-08-29

My understanding is Data ONTAP keeps the last 6 auditlogs. The auditlog is rotated weekly OR when the auditlog.max_file_size is reached. So adjusting the auditlog.max_file_size won't help...

I guess I'll investigate fetching the log weekly over the API or CIFS, or maybe use PowerShell. With PowerShell it looks like I could either get the formatted logs periodically using Get-NaSystemLog, or the raw log using Read-NaFile.