I've researched this issue about every way I know how, but have not had much luck. Anyway, we are a Splunk shop and we've got quite a bit of our NetApp (7mode and ONTAP) event traffic getting sent to Splunk. That said, we've identified a "gap" in our ONTAP approach where we have the following events going to Splunk:
security.invalid.login (ALERT) - this captures failed attempts to login to the system with a valid user credential
sshd.auth.loginDenied (NOTICE) - this captures failed attempts to login with invalid credentials (i.e. security scans or just a fat-fingered userID)
We can issue "security audit log show" commands to see successful authentications/connections, but we can't seem to figure out a way of getting these captured in an event filter rule such that we can have all successful and unsuccessful logon attempts logged centrally. A sort of goofy way to do this might be to issue a "cluster log-forwarding create" command and dump the command-history.log to Splunk, but that would capture a lot of garbage we just don't care about and make it harder to filter for authentication-related events.
So, has anybody figured out a clean way of sending all authentication events to an EMS - failures and success? I'd rather not have to cron a separate process to mine the audit.log files of all the nodes/etc...