ONTAP Discussions

User login log questions, CDOT 8.3.2

SMLocke
9,343 Views

Hello, friends! In CDOT 8.3.2, is there a log that'll tell me about domain user login attempts?

 

I know that the event log can tell me when a user failed to log in via SSH with the ssh.auth.loginDenied event, which is great. But is there any similar event that will tell me about successful SSH attempts?

 

Moreover, is there a log file somewhere that can tell me "When was the last time user DOMAIN\a-kkardashian logged in," knowing that that date might have been months or years ago?

 

Thanks!

1 ACCEPTED SOLUTION

parisi
9,306 Views

You can log successful SSH logins via the mgwd log.

 

1) In diag mode:

 

::> set diag

::*> logger mgwd log modify -node * -module session -level debug 

 

2) Login via SSH

 

3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580

 

The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/

 

4) View the MGWD log. You should see messages like this for successful logins:


0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"

 

If you see messages like this, that means someone logged in to systemshell:

 

0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"

 

There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep  the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:

 

https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

View solution in original post

6 REPLIES 6

parisi
9,307 Views

You can log successful SSH logins via the mgwd log.

 

1) In diag mode:

 

::> set diag

::*> logger mgwd log modify -node * -module session -level debug 

 

2) Login via SSH

 

3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580

 

The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/

 

4) View the MGWD log. You should see messages like this for successful logins:


0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"

 

If you see messages like this, that means someone logged in to systemshell:

 

0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"

 

There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep  the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:

 

https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

SMLocke
9,301 Views

This is good stuff, thank you.

 

Will modifying that mgwd parameter greatly increase the amount of space consumed by the mgwd logs? Is there any risk of operational impact from those logs taking up a great deal more space?

parisi
9,296 Views

That would depend on how many logins you see via SSH on the cluster on a daily basis. I'd assume it's not frequent, so I wouldn't worry.

 

As for logs, the rotate daily or when they reach a specific size (I can't recall what that size is).

 

In my case, I have logs from a month ago:

 

% ls -lah | grep mgwd
-rw-r--r--   2 root  wheel   914k Sep  8 10:42 mgwd.log
-rw-r--r--   1 root  wheel   864k Aug  5 12:08 mgwd.log.0000000059
-rw-r--r--   1 root  wheel   923k Aug  6 12:08 mgwd.log.0000000060
-rw-r--r--   1 root  wheel   878k Aug  7 12:08 mgwd.log.0000000061
-rw-r--r--   1 root  wheel   870k Aug  8 12:07 mgwd.log.0000000062
-rw-r--r--   1 root  wheel   1.1M Aug  9 12:00 mgwd.log.0000000063
-rw-r--r--   1 root  wheel   883k Aug 10 12:01 mgwd.log.0000000064
-rw-r--r--   1 root  wheel   866k Aug 11 12:00 mgwd.log.0000000065
-rw-r--r--   1 root  wheel   863k Aug 12 12:01 mgwd.log.0000000066
-rw-r--r--   1 root  wheel   955k Aug 13 12:02 mgwd.log.0000000067
-rw-r--r--   1 root  wheel   959k Aug 14 12:02 mgwd.log.0000000068
-rw-r--r--   1 root  wheel   955k Aug 15 12:02 mgwd.log.0000000069
-rw-r--r--   1 root  wheel   958k Aug 16 12:02 mgwd.log.0000000070
-rw-r--r--   1 root  wheel   2.0M Aug 17 12:03 mgwd.log.0000000071
-rw-r--r--   1 root  wheel   1.1M Aug 18 12:03 mgwd.log.0000000072
-rw-r--r--   1 root  wheel   1.1M Aug 19 12:03 mgwd.log.0000000073
-rw-r--r--   1 root  wheel   1.0M Aug 20 12:03 mgwd.log.0000000074
-rw-r--r--   1 root  wheel   1.0M Aug 21 12:03 mgwd.log.0000000075
-rw-r--r--   1 root  wheel   1.0M Aug 22 12:03 mgwd.log.0000000076
-rw-r--r--   1 root  wheel   1.0M Aug 23 12:03 mgwd.log.0000000077
-rw-r--r--   1 root  wheel   1.0M Aug 24 12:03 mgwd.log.0000000078
-rw-r--r--   1 root  wheel   1.0M Aug 25 12:03 mgwd.log.0000000079
-rw-r--r--   1 root  wheel   1.0M Aug 26 12:03 mgwd.log.0000000080
-rw-r--r--   1 root  wheel   1.0M Aug 27 12:03 mgwd.log.0000000081
-rw-r--r--   1 root  wheel   1.0M Aug 28 12:03 mgwd.log.0000000082
-rw-r--r--   1 root  wheel   1.2M Aug 29 12:03 mgwd.log.0000000083
-rw-r--r--   1 root  wheel   1.4M Aug 30 11:56 mgwd.log.0000000084
-rw-r--r--   1 root  wheel   980k Aug 31 11:57 mgwd.log.0000000085
-rw-r--r--   1 root  wheel   968k Sep  1 11:57 mgwd.log.0000000086
-rw-r--r--   1 root  wheel   1.0M Sep  2 11:58 mgwd.log.0000000087
-rw-r--r--   1 root  wheel   938k Sep  3 11:57 mgwd.log.0000000088
-rw-r--r--   1 root  wheel   948k Sep  4 11:58 mgwd.log.0000000089
-rw-r--r--   1 root  wheel   945k Sep  5 11:58 mgwd.log.0000000090
-rw-r--r--   1 root  wheel   939k Sep  6 11:58 mgwd.log.0000000091
-rw-r--r--   1 root  wheel   940k Sep  7 11:58 mgwd.log.0000000092
-rw-r--r--   2 root  wheel   914k Sep  8 10:42 mgwd.log.0000000093

 

They won't take up a great deal more space, as they're size limited. Only time I'd worry is if I'm using a vsim and have only a few hundred MBs for my node root.

SMLocke
9,265 Views

Thanks, parisi - appreciate your science on this one!

mgmt-gateway
9,076 Views

Hi Parisi,

 

Can you also log successful OnCommand System Manager logins to mgwd log ? 

LORENZO_CONTI
6,435 Views

Hello,

follow up this old conversation, I would like to forward ssh connection log (login/logout) to a remote server.

In 7-mode, I managed to log ssh key fingerprint by activating option ssh.debug.enable.

Is there any similar way for Ontap 9? 

Thank you

Public