Forwarding the audit log to a destination

You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

About this task

If the cluster log-forwarding create command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the -force parameter with the command bypasses the connectivity verification.

You can configure transmission security options when forwarding log files:

Protocols for sending messages to the destination
You can select one of the following -protocol values:
- udp-unencrypted: User Datagram Protocol with no security (default)
- tcp-unencrypted: Transmission Control Protocol with no security
- tcp-encrypted: Transmission Control Protocol with Transport Layer Security (TLS)
Verification of destination server identity
When you set the -verify-server parameter to true, the identity of the log forwarding destination is verified by validating its certificate. You can set the value to true only when you select the tcp-encrypted value in the -protocol field.

Steps

For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.

Example

cluster1::> cluster log-forwarding create -destination 192.168.123.96 
-port 514 -facility user

cluster1::> cluster log-forwarding create -destination 192.168.123.98 
-port 514 -protocol tcp-encrypted -facility user

Verify that the destination records are correct by using the cluster log-forwarding show command.

Example

cluster1::> cluster log-forwarding show

                                                 Verify Syslog
Destination Host          Port   Protocol        Server Facility
------------------------- ------ --------        ------ --------
192.168.123.96            514    udp-unencrypted false  user
192.168.123.98            514    tcp-encrypted   true   user
2 entries were displayed.