Monitor all Ontap Logons

Diarmuid · ‎2023-08-04

We would like to record all logons, successful & failed, to all Cluster instances over SSH & HTTP, on a daily basis. Within Ontap this can be achieved using security logon show with syntax similar to this

security audit log show -fields application, location, state, input, username -input v*|st* -timestamp >"Jul 30 12:00:00 2023"

We want to use Powershell to grab similar output from multiple controllers on a daily basis but the Ontap PS Module does not appear to have an appropriate applet. When using this command with invoke-ncssh we encounter issues whenever we assign the -timestamp option where a "Error: The expression is missing a value" is returned so we cannot limit the output to a time frame. If we run the command without a timestamp option and push the content into an array the data within cannot be interrogated correctly using GM options as the output is not familiar to Powershell.

The end goal is to generate a report of all logon attempts daily - has anyone achieved this successfully with Powershell or other?

many thanks, D

AlexDawson · ‎2023-08-06

Have you considered setting up log forwarding instead? It is probably the better option - https://docs.netapp.com/us-en/ontap/system-admin/forward-command-history-log-file-destination-task.html

Diarmuid · ‎2023-08-07

I am playing about with this and it could work - However defining the 'name pattern' for successful logons is proving elusive. Do you happen to know what this might be?

Monitor all Ontap Logons

Join us in Vegas, September 23-25

NetApp Wins Gold in Globee® Awards

Join us on Discord