I've been wondering if anyone has a way to filter out audit log information. I've currently got the following set:
cluster1::*> security audit show
Auditing State for Auditing State for
Set Requests: Get Requests:
CLI: on off
ONTAPI: on off
SNMP: on off
and I'm forwarding it off to syslog with:
cluster log-forwarding create -destination logserver -port 514 -facility user
but I'm getting a lot of system level console messages. These also appear in /etc/mroot/log/auditlog as command like this:
Fri Feb 12 16:49:53 PST [node3:rshd_1:debug]: cluster1%root%admin@[127.0.10.1_711]:IN:node shell:RSH INPUT COMMAND is priv set -q diag ; rdfile /etc/registry
These seem to be background tasks the filer is performing. Is there a way to NOT forward debug auditlog messages so I don't get a lot of noise in my syslog information?
You can disable audit logging in Cluster Data ONTAP using security audit command. Refer https://library.netapp.com/ecmdocs/ECMP1366832/html/security/audit/modify.html
I'm not sure this is quite what I'm looking for. I know I can enable / disable cli and api. I want both ssh and api logs but what I don't want are console logs, or at least the system generated ones.
Some further reading in the 8.3 manual (https://library.netapp.com/ecm/ecm_download_file/ECMP12458569) which states "cluster log-forwarding" will send everything in command-history.log file. That log file is not affected by "security audit modify" and it looks like you can't tune what goes in there.
You can tune what goes into mgwd.log with "security audit modify" but that isn't going to help much here.
So, it looks like, at least for now, there's no way to limit the output.