ONTAP Hardware

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Hardware

Ask a Question

Auditing login events - forward to EMS?

colsen
NetApp A-Team
‎2017-04-25 02:12 PM
4,163 Views

Hello,

 

I've researched this issue about every way I know how, but have not had much luck.  Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk.  That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:

 

security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential

sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)

 

We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally.  A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.

 

So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success?  I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...

 

Thanks in advance!

Chris

0 Kudos
View By:
Tags (3)
2 REPLIES 2

manistorage
‎2017-06-23 01:19 AM
3,943 Views

HI,

 

 

i  have manged to successfully forward syslogs, but haven not attempted audit logs.

 

 

give teh below command a shot

event notification destination create -name eu-audit -
-email -syslog -rest-api-url
-certificate-authority -certificate-serial

 

let me know if you make any progress.

 

regards,

Mani

0 Kudos

liu
‎2025-03-06 12:13 AM
211 Views

1.Create a syslog destination server in ONTAP

2.Create an event filter which identifies the list of EMS events you wish to have forwarded to your destination server of choice

3.Create an event notification to forward the selected event filter to the syslog server:

Event forwarding to a Syslog server - NetApp Knowledge Base

0 Kudos
Announcements
All Community Forums
Public