Solved: User login log questions, CDOT 8.3.2

SMLocke · ‎2016-09-07

Hello, friends! In CDOT 8.3.2, is there a log that'll tell me about domain user login attempts?

I know that the event log can tell me when a user failed to log in via SSH with the ssh.auth.loginDenied event, which is great. But is there any similar event that will tell me about successful SSH attempts?

Moreover, is there a log file somewhere that can tell me "When was the last time user DOMAIN\a-kkardashian logged in," knowing that that date might have been months or years ago?

Thanks!

parisi · ‎2016-09-08

You can log successful SSH logins via the mgwd log.

1) In diag mode:

::> set diag

::*> logger mgwd log modify -node * -module session -level debug

2) Login via SSH

3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580

The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/

4) View the MGWD log. You should see messages like this for successful logins:

0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"

If you see messages like this, that means someone logged in to systemshell:

0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"

There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:

https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

View solution in original post

parisi · ‎2016-09-08

You can log successful SSH logins via the mgwd log.

1) In diag mode:

::> set diag

::*> logger mgwd log modify -node * -module session -level debug

2) Login via SSH

3) Enable SPI access as per this KB: https://kb.netapp.com/support/index?page=content&id=1012580

The exact location is: http://[clus-mgmt-IP]/spi/[nodename]/etc/log/mlog/

4) View the MGWD log. You should see messages like this for successful logins:

0000002b.0001d43b 00803e62 Thu Sep 08 2016 09:57:40 -04:00 [kern_mgwd:info:1864] 0x838ec5800: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="admin". application="ssh" login_from="10.62.194.166 49673 10.193.67.10 22 /dev/pts/1"

If you see messages like this, that means someone logged in to systemshell:

0000002b.0001d46d 008045a9 Thu Sep 08 2016 10:00:46 -04:00 [kern_mgwd:info:1864] 0x838f0fb00: 0: DEBUG: session: src/glue/session.cc:save_login_info ENTER username="root". application="console" login_from="localhost"

There is no way to see a history of these unless you had already enabled them. And these logs roll off after a period of time, so if you want to keep the logs, you'd need to offload them to a different location. Right now, that process would be manual. The only logs ONTAP can forward for you are command history logs:

https://library.netapp.com/ecmdocs/ECMLP2348035/html/GUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

SMLocke · ‎2016-09-08

This is good stuff, thank you.

Will modifying that mgwd parameter greatly increase the amount of space consumed by the mgwd logs? Is there any risk of operational impact from those logs taking up a great deal more space?

parisi · ‎2016-09-08

That would depend on how many logins you see via SSH on the cluster on a daily basis. I'd assume it's not frequent, so I wouldn't worry.

As for logs, the rotate daily or when they reach a specific size (I can't recall what that size is).

In my case, I have logs from a month ago:

% ls -lah | grep mgwd
-rw-r--r--   2 root wheel   914k Sep 8 10:42 mgwd.log
-rw-r--r--   1 root wheel   864k Aug 5 12:08 mgwd.log.0000000059
-rw-r--r--   1 root wheel   923k Aug 6 12:08 mgwd.log.0000000060
-rw-r--r--   1 root wheel   878k Aug 7 12:08 mgwd.log.0000000061
-rw-r--r--   1 root wheel   870k Aug 8 12:07 mgwd.log.0000000062
-rw-r--r--   1 root wheel   1.1M Aug 9 12:00 mgwd.log.0000000063
-rw-r--r--   1 root wheel   883k Aug 10 12:01 mgwd.log.0000000064
-rw-r--r--   1 root wheel   866k Aug 11 12:00 mgwd.log.0000000065
-rw-r--r--   1 root wheel   863k Aug 12 12:01 mgwd.log.0000000066
-rw-r--r--   1 root wheel   955k Aug 13 12:02 mgwd.log.0000000067
-rw-r--r--   1 root wheel   959k Aug 14 12:02 mgwd.log.0000000068
-rw-r--r--   1 root wheel   955k Aug 15 12:02 mgwd.log.0000000069
-rw-r--r--   1 root wheel   958k Aug 16 12:02 mgwd.log.0000000070
-rw-r--r--   1 root wheel   2.0M Aug 17 12:03 mgwd.log.0000000071
-rw-r--r--   1 root wheel   1.1M Aug 18 12:03 mgwd.log.0000000072
-rw-r--r--   1 root wheel   1.1M Aug 19 12:03 mgwd.log.0000000073
-rw-r--r--   1 root wheel   1.0M Aug 20 12:03 mgwd.log.0000000074
-rw-r--r--   1 root wheel   1.0M Aug 21 12:03 mgwd.log.0000000075
-rw-r--r--   1 root wheel   1.0M Aug 22 12:03 mgwd.log.0000000076
-rw-r--r--   1 root wheel   1.0M Aug 23 12:03 mgwd.log.0000000077
-rw-r--r--   1 root wheel   1.0M Aug 24 12:03 mgwd.log.0000000078
-rw-r--r--   1 root wheel   1.0M Aug 25 12:03 mgwd.log.0000000079
-rw-r--r--   1 root wheel   1.0M Aug 26 12:03 mgwd.log.0000000080
-rw-r--r--   1 root wheel   1.0M Aug 27 12:03 mgwd.log.0000000081
-rw-r--r--   1 root wheel   1.0M Aug 28 12:03 mgwd.log.0000000082
-rw-r--r--   1 root wheel   1.2M Aug 29 12:03 mgwd.log.0000000083
-rw-r--r--   1 root wheel   1.4M Aug 30 11:56 mgwd.log.0000000084
-rw-r--r--   1 root wheel   980k Aug 31 11:57 mgwd.log.0000000085
-rw-r--r--   1 root wheel   968k Sep 1 11:57 mgwd.log.0000000086
-rw-r--r--   1 root wheel   1.0M Sep 2 11:58 mgwd.log.0000000087
-rw-r--r--   1 root wheel   938k Sep 3 11:57 mgwd.log.0000000088
-rw-r--r--   1 root wheel   948k Sep 4 11:58 mgwd.log.0000000089
-rw-r--r--   1 root wheel   945k Sep 5 11:58 mgwd.log.0000000090
-rw-r--r--   1 root wheel   939k Sep 6 11:58 mgwd.log.0000000091
-rw-r--r--   1 root wheel   940k Sep 7 11:58 mgwd.log.0000000092
-rw-r--r--   2 root wheel   914k Sep 8 10:42 mgwd.log.0000000093

They won't take up a great deal more space, as they're size limited. Only time I'd worry is if I'm using a vsim and have only a few hundred MBs for my node root.

SMLocke · ‎2016-09-08

Thanks, parisi - appreciate your science on this one!

mgmt-gateway · ‎2016-12-22

Hi Parisi,

Can you also log successful OnCommand System Manager logins to mgwd log ?

LORENZO_CONTI · ‎2019-07-18

Hello,

follow up this old conversation, I would like to forward ssh connection log (login/logout) to a remote server.

In 7-mode, I managed to log ssh key fingerprint by activating option ssh.debug.enable.

Is there any similar way for Ontap 9?

Thank you