Filter Audit Log

michael_england · ‎2016-02-12

Hey all,

I've been wondering if anyone has a way to filter out audit log information. I've currently got the following set:

cluster1::*> security audit show

Auditing State for Auditing State for

Set Requests: Get Requests:

------------------ ------------------

CLI: on off

ONTAPI: on off

SNMP: on off

and I'm forwarding it off to syslog with:

cluster log-forwarding create -destination logserver -port 514 -facility user

but I'm getting a lot of system level console messages. These also appear in /etc/mroot/log/auditlog as command like this:

Fri Feb 12 16:49:53 PST [node3:rshd_1:debug]: cluster1%root%admin@[127.0.10.1_711]:IN:node shell:RSH INPUT COMMAND is priv set -q diag ; rdfile /etc/registry

These seem to be background tasks the filer is performing. Is there a way to NOT forward debug auditlog messages so I don't get a lot of noise in my syslog information?

Sahana · ‎2016-02-14

Hi,

You can disable audit logging in Cluster Data ONTAP using security audit command. Refer https://library.netapp.com/ecmdocs/ECMP1366832/html/security/audit/modify.html

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

michael_england · ‎2016-02-15

I'm not sure this is quite what I'm looking for. I know I can enable / disable cli and api. I want both ssh and api logs but what I don't want are console logs, or at least the system generated ones.

michael_england · ‎2016-02-15

Some further reading in the 8.3 manual (https://library.netapp.com/ecm/ecm_download_file/ECMP12458569) which states "cluster log-forwarding" will send everything in command-history.log file. That log file is not affected by "security audit modify" and it looks like you can't tune what goes in there.

You can tune what goes into mgwd.log with "security audit modify" but that isn't going to help much here.

So, it looks like, at least for now, there's no way to limit the output.

Filter Audit Log

Introducing GenAI Search on NSS