ONTAP Discussions
ONTAP Discussions
Hello, friends! In CDOT 8.3.2, is there a log that'll tell me about domain user login attempts?
I know that the event log can tell me when a user failed to log in via SSH with the ssh.auth.loginDenied event, which is great. But is there any similar event that will tell me about successful SSH attempts?
Moreover, is there a log file somewhere that can tell me "When was the last time user DOMAIN\a-kkardashian logged in," knowing that that date might have been months or years ago?
Thanks!
Solved! See The Solution
You can log successful SSH logins via the mgwd log.
1) In diag mode:
::> set diag
::*> logger mgwd log modify -node * -module session -level debug
2) Login via SSH
3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580
The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/
4) View the MGWD log. You should see messages like this for successful logins:
0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"
If you see messages like this, that means someone logged in to systemshell:
0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"
There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:
https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html
You can log successful SSH logins via the mgwd log.
1) In diag mode:
::> set diag
::*> logger mgwd log modify -node * -module session -level debug
2) Login via SSH
3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580
The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/
4) View the MGWD log. You should see messages like this for successful logins:
0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"
If you see messages like this, that means someone logged in to systemshell:
0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"
There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:
https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html
This is good stuff, thank you.
Will modifying that mgwd parameter greatly increase the amount of space consumed by the mgwd logs? Is there any risk of operational impact from those logs taking up a great deal more space?
That would depend on how many logins you see via SSH on the cluster on a daily basis. I'd assume it's not frequent, so I wouldn't worry.
As for logs, the rotate daily or when they reach a specific size (I can't recall what that size is).
In my case, I have logs from a month ago:
% ls -lah | grep mgwd
-rw-r--r-- 2 root wheel 914k Sep 8 10:42 mgwd.log
-rw-r--r-- 1 root wheel 864k Aug 5 12:08 mgwd.log.0000000059
-rw-r--r-- 1 root wheel 923k Aug 6 12:08 mgwd.log.0000000060
-rw-r--r-- 1 root wheel 878k Aug 7 12:08 mgwd.log.0000000061
-rw-r--r-- 1 root wheel 870k Aug 8 12:07 mgwd.log.0000000062
-rw-r--r-- 1 root wheel 1.1M Aug 9 12:00 mgwd.log.0000000063
-rw-r--r-- 1 root wheel 883k Aug 10 12:01 mgwd.log.0000000064
-rw-r--r-- 1 root wheel 866k Aug 11 12:00 mgwd.log.0000000065
-rw-r--r-- 1 root wheel 863k Aug 12 12:01 mgwd.log.0000000066
-rw-r--r-- 1 root wheel 955k Aug 13 12:02 mgwd.log.0000000067
-rw-r--r-- 1 root wheel 959k Aug 14 12:02 mgwd.log.0000000068
-rw-r--r-- 1 root wheel 955k Aug 15 12:02 mgwd.log.0000000069
-rw-r--r-- 1 root wheel 958k Aug 16 12:02 mgwd.log.0000000070
-rw-r--r-- 1 root wheel 2.0M Aug 17 12:03 mgwd.log.0000000071
-rw-r--r-- 1 root wheel 1.1M Aug 18 12:03 mgwd.log.0000000072
-rw-r--r-- 1 root wheel 1.1M Aug 19 12:03 mgwd.log.0000000073
-rw-r--r-- 1 root wheel 1.0M Aug 20 12:03 mgwd.log.0000000074
-rw-r--r-- 1 root wheel 1.0M Aug 21 12:03 mgwd.log.0000000075
-rw-r--r-- 1 root wheel 1.0M Aug 22 12:03 mgwd.log.0000000076
-rw-r--r-- 1 root wheel 1.0M Aug 23 12:03 mgwd.log.0000000077
-rw-r--r-- 1 root wheel 1.0M Aug 24 12:03 mgwd.log.0000000078
-rw-r--r-- 1 root wheel 1.0M Aug 25 12:03 mgwd.log.0000000079
-rw-r--r-- 1 root wheel 1.0M Aug 26 12:03 mgwd.log.0000000080
-rw-r--r-- 1 root wheel 1.0M Aug 27 12:03 mgwd.log.0000000081
-rw-r--r-- 1 root wheel 1.0M Aug 28 12:03 mgwd.log.0000000082
-rw-r--r-- 1 root wheel 1.2M Aug 29 12:03 mgwd.log.0000000083
-rw-r--r-- 1 root wheel 1.4M Aug 30 11:56 mgwd.log.0000000084
-rw-r--r-- 1 root wheel 980k Aug 31 11:57 mgwd.log.0000000085
-rw-r--r-- 1 root wheel 968k Sep 1 11:57 mgwd.log.0000000086
-rw-r--r-- 1 root wheel 1.0M Sep 2 11:58 mgwd.log.0000000087
-rw-r--r-- 1 root wheel 938k Sep 3 11:57 mgwd.log.0000000088
-rw-r--r-- 1 root wheel 948k Sep 4 11:58 mgwd.log.0000000089
-rw-r--r-- 1 root wheel 945k Sep 5 11:58 mgwd.log.0000000090
-rw-r--r-- 1 root wheel 939k Sep 6 11:58 mgwd.log.0000000091
-rw-r--r-- 1 root wheel 940k Sep 7 11:58 mgwd.log.0000000092
-rw-r--r-- 2 root wheel 914k Sep 8 10:42 mgwd.log.0000000093
They won't take up a great deal more space, as they're size limited. Only time I'd worry is if I'm using a vsim and have only a few hundred MBs for my node root.
Thanks, parisi - appreciate your science on this one!
Hi Parisi,
Can you also log successful OnCommand System Manager logins to mgwd log ?
Hello,
follow up this old conversation, I would like to forward ssh connection log (login/logout) to a remote server.
In 7-mode, I managed to log ssh key fingerprint by activating option ssh.debug.enable.
Is there any similar way for Ontap 9?
Thank you