Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

Filter Audit Log


Hey all,


I've been wondering if anyone has a way to filter out audit log information.  I've currently got the following set:


cluster1::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              off

    ONTAPI:    on                              off

    SNMP:      on                              off


and I'm forwarding it off to syslog with:


cluster log-forwarding create -destination logserver -port 514 -facility user


but I'm getting a lot of system level console messages.  These also appear in /etc/mroot/log/auditlog as command like this:


Fri Feb 12 16:49:53 PST [node3:rshd_1:debug]: cluster1%root%admin@[]:IN:node shell:RSH INPUT COMMAND is priv set -q diag ; rdfile /etc/registry


These seem to be background tasks the filer is performing.  Is there a way to NOT forward debug auditlog messages so I don't get a lot of noise in my syslog information?



Some further reading in the 8.3 manual (https://library.netapp.com/ecm/ecm_download_file/ECMP12458569) which states "cluster log-forwarding" will send everything in command-history.log file.  That log file is not affected by "security audit modify" and it looks like you can't tune what goes in there.


You can tune what goes into mgwd.log with "security audit modify" but that isn't going to help much here.


So, it looks like, at least for now, there's no way to limit the output.


I'm not sure this is quite what I'm looking for.  I know I can enable / disable cli and api.  I want both ssh and api logs but what I don't want are console logs, or at least the system generated ones.




You can disable audit logging in Cluster Data ONTAP using security audit command. Refer https://library.netapp.com/ecmdocs/ECMP1366832/html/security/audit/modify.html

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner