ONTAP Hardware

Auditing login events - forward to EMS?




I've researched this issue about every way I know how, but have not had much luck.  Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk.  That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:


security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential

sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)


We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally.  A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.


So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success?  I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...


Thanks in advance!







i  have manged to successfully forward syslogs, but haven not attempted audit logs.



give teh below command a shot

event notification destination create -name eu-audit -
-email -syslog -rest-api-url
-certificate-authority -certificate-serial


let me know if you make any progress.




NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner