Manual Pages
Table of Contents
na_auditlog - contains an audit record of recent administrative
activity
<logdir>/auditlog
<logdir> is /etc/log for filers and /logs for NetCache
appliances.
If the option auditlog.enable is on, the system logs all
input to the system at the console/telnet shell and via
rsh to the auditlog file. The data output by commands executed
in this fashion is also logged to auditlog. Administrative
servlet invocations (via HTTP, typically from FilerView)
and API calls made via the ONTAPI interface are
also logged to the auditlog. A typical message is:
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:OUT:date:
Wed Feb 9 17:34:09 GMT 2000
This indicates that there was an rsh session around Wed
Feb 9 17:34:09 GMT which caused the date command to be
executed. The user performing the command was root. The
type of log is data output by the system as indicated by
the OUT keyword.
Commands typed at the filer's console or executed by rsh
are designated by the IN keyword as in:
Wed Feb 9 17:34:03 GMT [rshd_0:auditlog]: :IN:rsh shell:
RSH INPUT COMMAND is date
The start and end of an rsh session are specially demarcated
as in
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:START:rsh
shell:orbit.eng.mycompany.com
and
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:END:rsh
shell:
The maximum size of the auditlog file is controlled by the
auditlog.max_file_size option. If the file gets to this
size, it is rotated (see below).
Every Saturday at 24:00, <logdir>/auditlog is moved to
<logdir>/auditlog.0, <logdir>/auditlog.0 is moved to
<logdir>/auditlog.1, and so on. This process is called
rotation. Auditlog files are saved for a total of six
weeks, if they do not overflow.
If you want to forward audit log messages to a remote syslog
log host (one that accepts syslog messages via the BSD
Syslog protocol specified in RFC 3164), modify the filer's
/etc/syslog.conf file to forward messages from the filer's
"local7" facility to the remote host. Do this by adding a
line like:
-
local7.*
- @1.2.3.4
to /etc/syslog.conf. An IP address has been used here,
but a valid DNS name could also be used. Note that using
a DNS name can fail if the filer is unable to resolve the
name given in the file. If that happens, your messages
will not be forwarded.
On the log host, you'll need to modify the syslog daemon's
configuration file to redirect syslog message traffic from
the "local7" facility to the appropriate configuration
file. That is typically done by adding a line similar to
the one shown above for the filer:
-
local7.*
- /var/logs/filer_auditlogs
Then restart the daemon on the log host, or send an appropriate
signal to it. See the documentation for your log
host's syslog daemon for more information on how to make
that configuration change.
-
<logdir>/auditlog
- auditlog file for current week.
<logdir>/auditlog.[0-5]
auditlog files for previous weeks
na_options(1),na_syslog.conf(5)
Table of Contents