Send cDOT auditlog to remote syslog server

bjones_ea · ‎2013-10-28

How do you send the command audit log on Clustered ONTAP to a remote syslog facility?

On 7mode, we would perform this by adding the following to /etc/syslog.conf:

cmdsaudit.auditlog @<syslog server IP>

On Cmode I've added our syslog server as an event destination. I believe that I need to add an event route, but I can't seem to be able to find any event message names that pertain to the system auditlog.

UMICHGPCC · ‎2014-01-17

This information is buried in the Clustered Data ONTAP® 8.2 System Administration Guide for Cluster Administrators which is at https://library.netapp.com/ecm/ecm_download_file/ECMP1196798

Starting on page 199 there's a section called "Setting up the Event Management System" and it has information on the "event" branch of the commands and you can, assuming the documentation is right, make a syslog server a destination for the events. You can also use email or snmp traps.

I only got ahold of the documentation recently and I don't have a test environment to play with, so I'm trying to be very cautious in implementing this. I have no idea if this is just a wrapper for a typical syslog daemon or if NetApp engineers came up with a completely different technology.

Our reps also told us about this knowledge article if you need information on getting access to the logs in the /etc directory in CDOT.

https://kb.netapp.com/support/index?page=content&id=1013814

If you are able to get syslog working I'd love to know about it.

- Phil Jessel, University of Michigan

pjessel@umich.edu

JIM_SURLOW · ‎2014-01-20

I'm curious as well.

scottgelb · ‎2014-01-20

In your example you would run something like this... when using a specific -messagename you comma delimit the severity instead of <=. I did not check if cmdsaudit.auditlog is a cDOT message but assuming it is...

cmode::> event destination create -name syslog -syslog <syslog server IP>

cmode::> event route add-destinations {-severity EMERGENCY,ALERT,CRITICAL,ERROR,WARNING,NOTICE,INFORMATIONAL -messagename cmdsaudit.auditlog} -destinations syslog

# to get all critical events and lower...

cmode::> event route add-destinations {-severity <=CRITICAL} -destinations syslog

JIM_SURLOW · ‎2014-01-20

Support is telling me that pulling out of /etc/log/auditlog, can't be done. And of course, /etc/log/mlog/mgwd.log is probably better, but also unavailable via syslog.

scottgelb · ‎2014-01-20

and each node keeps audit logs... I did take some notes and some great advice from support and Justin Parisi a while ago.

One note is that the default is to not log show commands..to enable logging of show commands..changes log but not show.

cmode::> security audit modify -cliset on -httpset on -cliget on -httpget on

From systemshell we viewed logs...doesn't help get it to syslog but maybe someone has a method to import sftp or scp the files to syslog.

node% less /mroot/etc/mlog/command-history.log*

node% less /mroot/log/auth.log

node% egrep “console|ssh” /mroot/log/mgwd.log*

WilliamHorka · ‎2014-09-29

Here's a script (not mine) to grab the /mroot/etc/mlog/command-history.log* files and send the events to a syslog server:

http://www.cosonok.com/2014/08/command-history-to-syslog-for-cdot_17.html

http://www.cosonok.com/2014/08/command-history-to-syslog-for-cdot.html

It's a PowerShell script, but I expect the same methodology could be reimplemented in bash.

It requires that HTTPS access to the log files be enabled per https://kb.netapp.com/support/index?page=content&id=1013814

JoeF · ‎2015-01-29

-messagename cmdsaudit.auditlog

cmdsaudit.auditlog messagename type doesn't exists on my cluster..... 8.2P6.

Any advice? Nothing even looks close. would "-messagename cmds.*" work?

    cmds.config.checksum
    cmds.config.file
    cmds.config.file.backup
    cmds.config.file.delete
    cmds.config.line.read
    cmds.config.reg.commit1
    cmds.config.reg.commit2
    cmds.config.reg.commit3
    cmds.config.reg.create1
    cmds.config.reg.create2
    cmds.config.reg.create3
    cmds.config.reg.file.open
    cmds.config.reg.file.update
    cmds.config.reg.memLimit
    cmds.config.reg.set
    cmds.config.version
    cmds.config.version.minor
    cmds.delete.x509.key
    cmds.delete.x509key.fail
    cmds.fail.regxCommit5
    cmds.ifconfig.all1s.netmask
    cmds.ifconfig.del.autocf
    cmds.ifconfig.ip.rm
    cmds.ifconfig.ip.rm.memAlloc
    cmds.ifconfig.reg.trans.commit
    cmds.ifconfig.reg.trans.create
    cmds.ifconfig.socket.create
    cmds.net.TOE.offload
    cmds.pktt.trace.suspend
    cmds.pktt.write.info
    cmds.pktt.write.issue
    cmds.pktt.write.stop
    cmds.pktt.write.stuck
    cmds.rdate.Time.changed
    cmds.route.addDefault
    cmds.route.addGateway
    cmds.route.invalidHost
    cmds.skbuilt.overflow.check.count
    cmds.software.dirErr
    cmds.software.installDone
    cmds.software.installNotDone
    cmds.sysconf.haltERR1
    cmds.sysconf.haltERR2
    cmds.sysconf.inconstRule
    cmds.sysconf.logErr
    cmds.sysconf.logInfo
    cmds.sysconf.perCheckOff
    cmds.sysconf.perIntSmall
    cmds.sysconf.syslogger
    cmds.sysconf.validDebug
    cmds.sysconf.wakeDebug

    cmds.unab.create.regTransc4
    cmds.unab.create.regTransc5
    cmds.unable.add.certReg
    cmds.unable.delete.certReg
    cmds.unable.delete.regKey
    cmds.unable.delete.regKey2
    cmds.unable.get.valueKey
    cmds.unable.read.regIpsec
    cmds.unable.write.regIpsec
    cmds.vf.migrate.complete
    cmds.vf.migrate.info
    cmds.vf.trans.migrated
    cmds.vfiler.config.save
    cmds.vfiler.console.switch
    cmds.vfiler.dr.activate
    cmds.vfiler.dr.activated
    cmds.vfiler.dr.configure
    cmds.vfiler.info
    cmds.vfiler.ip.add
    cmds.vfiler.ip.move
    cmds.vfiler.ip.remove
    cmds.vfiler.path.move
    cmds.vfiler.proto.allow
    cmds.vfiler.proto.deny
    cmds.vfiler.replica
    cmds.vfiler.resource.move
    cmds.vfiler.storUnit.add
    cmds.vfiler.storUnit.rm
    cmds.ypsetWar

JoeF · ‎2015-01-29

Should have waited to hit post.... this is what I received back.

event route add-destinations {-severity EMERGENCY,ALERT,CRITICAL,ERROR,WARNING,NOTICE,INFORMATIONAL -messagename cmds.* } -destinations syslog
77 entries were acted on.

I'm open to anyone's feedback on how to improve this. I'm trying to ramp up in this area. I can share the perl script we have for grabbing the other logs and sending to our syslog server if someone is interested. That process wasn't pretty on the logrythum side. (thankfully someone else had to do that part)

Once I hear back from the logrythum guy on what he's getting I'll update the thread.

mredondo · ‎2015-04-30

@JoeF wrote:
Should have waited to hit post.... this is what I received back.

event route add-destinations {-severity EMERGENCY,ALERT,CRITICAL,ERROR,WARNING,NOTICE,INFORMATIONAL -messagename cmds.* } -destinations syslog
77 entries were acted on.

I'm open to anyone's feedback on how to improve this. I'm trying to ramp up in this area. I can share the perl script we have for grabbing the other logs and sending to our syslog server if someone is interested. That process wasn't pretty on the logrythum side. (thankfully someone else had to do that part)

Once I hear back from the logrythum guy on what he's getting I'll update the thread.

Hi Joe,

I am interested interested in your process and scripts as I am using Logrhythm as well..

kris_boeckx · ‎2016-01-07

We are running cdot 8.3 and the previous issue is fixed. you can run the 2 lines below to configure syslog to an external syslog host.

event destination create -name syslogger -syslog <ip_of_syslog_host>
event route add-destinations -messagename * -destinations syslogger

Greetings,

Kris Boeckx

ANDREW_WINEINGER · ‎2016-08-05

Latest code release seems to support. ran this on 8.3.2

log-forwarding create -destination HOSTNAME -port 514 -facility local4