Auditing login events - forward to EMS?

colsen · ‎2017-04-25

Hello,

I've researched this issue about every way I know how, but have not had much luck. Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk. That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:

security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential

sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)

We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally. A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.

So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success? I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...

Thanks in advance!

Chris

manistorage · ‎2017-06-23

HI,

i have manged to successfully forward syslogs, but haven not attempted audit logs.

give teh below command a shot

event notification destination create -name eu-audit -
-email -syslog -rest-api-url
-certificate-authority -certificate-serial

let me know if you make any progress.

regards,

Mani