8 Replies Latest reply: Sep 12, 2013 10:53 AM by bbjholcomb RSS

Where is the audit log for the cluster?

bbjholcomb Cyclist
Currently Being Moderated

When I login as diag I can see the node auditlogs but not the cluster. For example if I do node run -node xxx -command sysconfig, I see that in the log, if I do a snapmirror show command on the cluster management interface  I can't find it.

  • Re: Where is the audit log for the cluster?
    ackerman NetApp Employee Novice
    Currently Being Moderated

    You want to look at command-history.log for the clustershell log.

     

    You can see that with the 'debug log' command or by viewing the file directly from mroot.

     

    Ross

    • Re: Where is the audit log for the cluster?
      bbjholcomb Cyclist
      Currently Being Moderated

      Thanks, but I still don't see all the commands I have using all day. I looked at others that were recent still nothing.

      • Re: Where is the audit log for the cluster?
        parisi NetApp Employee Cyclist
        Currently Being Moderated

        The commands get logged to the node the commands were issued to. Command history log is not cluster-wide, but is node specific.

         

        For example, my snapmirror command gets logged on the node I ran the command on:

         

        parisi-cdot::*> node show local

         

                                                      Node: parisi-cdot-01

                                                     Owner:

                                                  Location:

                                                     Model: SIMBOX

                                             Serial Number: 4042835-97-0

                                                 Asset Tag: -

                                                    Uptime: 5 days 04:42

                                           NVRAM System ID: 4042835970

                                                 System ID: 4042835970

                                                    Vendor: NetApp

                                                    Health: true

                                               Eligibility: true

                                                   Epsilon: false

         

        parisi-cdot::*> snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs

        [Job 175] Job succeeded: SnapMirror: done

         

        parisi-cdot::*> systemshell -node parisi-cdot-01

          (system node systemshell)

         

        Data ONTAP/amd64 (parisi-cdot-01) (pts/2)

         

        login: diag

        Password:

        Last login: Mon Sep  9 19:25:19 from localhost

         

         

        Warning:  The system shell provides access to low-level

        diagnostic tools that can cause irreparable damage to

        the system if not used properly.  Use this environment

        only when directed to do so by support personnel.

         

        parisi-cdot-01% cd /mroot/etc/mlog

        parisi-cdot-01% cat command-history.log* | grep snapmirror

        00000005.00016ff7 00449c90 Mon Sep 09 2013 19:28:23 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Pending

        00000005.00017066 00449ca9 Mon Sep 09 2013 19:28:29 +00:00 [kern_command-history:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror create -source-path nfs:rootvol -destination-path nfs:rootvol_LS1 -type LS -throttle unlimited -vserver nfs :: Success

        • Re: Where is the audit log for the cluster?
          parisi NetApp Employee Cyclist
          Currently Being Moderated

          However, it does not appear that "show" commands get logged. Only commands where things were changed (same goes for vol show, aggr show, etc):

           

          parisi-cdot::*> snapmirror show

                                                                                 Progress

          Source            Destination  Mirror  Relationship  Total             Last

          Path        Type  Path         State   Status        Progress  Healthy Updated

          ----------- ---- ------------ ------- -------------- --------- ------- --------

          parisi-cdot://nfs/rootvol

                      LS   parisi-cdot://nfs/rootvol_LS1

                                        Uninitialized

                                                Idle           -         -       -

           

          parisi-cdot-01% cat command-history.log* | grep "snapmirror show"

          parisi-cdot-01%

           

          parisi-cdot-01% ngsh

          parisi-cdot::> vol show

            (volume show)

          Vserver   Volume       Aggregate    State      Type       Size  Available Used%

          --------- ------------ ------------ ---------- ---- ---------- ---------- -----

          nfs       ntfs         aggr1        online     RW        200MB    189.8MB    5%

          nfs       rootvol      aggr1        online     RW         20MB    18.88MB    5%

          nfs       rootvol_LS1  aggr2        online     LS        100MB    99.88MB    0%

          nfs       unix         aggr2        online     RW        200MB    189.8MB    5%

          parisi-cdot-01

                    vol0         aggr0        online     RW       3.01GB     1.69GB   43%

          parisi-cdot-02

                    vol0         aggr0_parisi_cdot_02_0

                                              online     RW       3.01GB     1.72GB   42%

          win2k3    ntfs         aggr2        online     RW        100MB    94.87MB    5%

          win2k3    rootvol      aggr2        online     RW         20MB    18.88MB    5%

          win2k3    unix         aggr1        online     RW        100MB    94.87MB    5%

          9 entries were displayed.

           

          parisi-cdot::> exit

          Goodbye

           

           

          parisi-cdot-01% cat command-history.log* | grep "vol show"

          parisi-cdot-01%

          • Re: Where is the audit log for the cluster?
            parisi NetApp Employee Cyclist
            Currently Being Moderated

            By default, "GET" requests are disabled:

             

            parisi-cdot::*> security audit show

                           Auditing State for              Auditing State for

                           Set Requests:                   Get Requests:

                           ------------------              ------------------

                CLI:       on                              off

                ONTAPI:    on                              off

                SNMP:      on                              off

             

            If you want to audit for "show", enable it:

             

            parisi-cdot::*> security audit modify -cliget on

             

            parisi-cdot::*> security audit show

                           Auditing State for              Auditing State for

                           Set Requests:                   Get Requests:

                           ------------------              ------------------

                CLI:       on                              on

                ONTAPI:    on                              off

                SNMP:      on                              off

             

            However, those get logged to mgwd.log:

             

            parisi-cdot-01% cat mgwd.log | grep "snapmirror show"

            00000005.000170cc 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

            00000005.000170cf 0044ab0d Mon Sep 09 2013 19:34:37 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

            00000005.000170e4 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

            00000005.000170e7 0044ad3c Mon Sep 09 2013 19:35:33 +00:00 [kern_mgwd:info:1010] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

            00000005.000171ca 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Pending

            00000005.000171df 0044b0aa Mon Sep 09 2013 19:37:00 +00:00 [kern_mgwd:info:90753] ssh :: 10.62.195.111 :: admin :: snapmirror show :: Success

        • Re: Where is the audit log for the cluster?
          bbjholcomb Cyclist
          Currently Being Moderated

          Thanks, this is great. Was this documented any place?

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points