ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Filter Audit Log

michael_england
‎2016-02-12 05:02 PM
3,999 Views

Hey all,

 

I've been wondering if anyone has a way to filter out audit log information.  I've currently got the following set:

 

cluster1::*> security audit show

               Auditing State for              Auditing State for

               Set Requests:                   Get Requests:

               ------------------              ------------------

    CLI:       on                              off

    ONTAPI:    on                              off

    SNMP:      on                              off

 

and I'm forwarding it off to syslog with:

 

cluster log-forwarding create -destination logserver -port 514 -facility user

 

but I'm getting a lot of system level console messages.  These also appear in /etc/mroot/log/auditlog as command like this:

 

Fri Feb 12 16:49:53 PST [node3:rshd_1:debug]: cluster1%root%admin@[127.0.10.1_711]:IN:node shell:RSH INPUT COMMAND is priv set -q diag ; rdfile /etc/registry

 

These seem to be background tasks the filer is performing.  Is there a way to NOT forward debug auditlog messages so I don't get a lot of noise in my syslog information?

0 Kudos
View By:
Tags (3)
3 REPLIES 3

Sahana
NetApp
‎2016-02-14 09:06 PM
3,940 Views

Hi,

 

You can disable audit logging in Cluster Data ONTAP using security audit command. Refer https://library.netapp.com/ecmdocs/ECMP1366832/html/security/audit/modify.html

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
0 Kudos

michael_england
‎2016-02-15 08:30 AM
3,929 Views

I'm not sure this is quite what I'm looking for.  I know I can enable / disable cli and api.  I want both ssh and api logs but what I don't want are console logs, or at least the system generated ones.

0 Kudos

michael_england
‎2016-02-15 10:56 AM
3,922 Views

Some further reading in the 8.3 manual (https://library.netapp.com/ecm/ecm_download_file/ECMP12458569) which states "cluster log-forwarding" will send everything in command-history.log file.  That log file is not affected by "security audit modify" and it looks like you can't tune what goes in there.

 

You can tune what goes into mgwd.log with "security audit modify" but that isn't going to help much here.

 

So, it looks like, at least for now, there's no way to limit the output.

0 Kudos
All Community Forums
Public