Release notes
Manage audit log destinations
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
You can forward the audit log to a maximum of 10 destinations. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.
To configure forwarding, you must provide the IP address of the syslog or Splunk host, its port number, a transmission protocol, and the syslog facility to use for the forwarded logs. Learn about syslog facilities.
You can select one of the following transmission values:
- UDP Unencrypted
-
User Datagram Protocol with no security (default)
- TCP Unencrypted
-
Transmission Control Protocol with no security
- TCP Encrypted
-
Transmission Control Protocol with Transport Layer Security (TLS)
A Verify server option is available when the TCP Encrypted protocol is selected.
You can forward audit logs from the ONTAP CLI, and beginning with ONTAP 9.11.1, from System Manager.
-
To display audit log destinations, select Cluster >Settings.
A count of log destinations is shown in the Notification Management tile. Click
to show details. -
To add, modify, or delete audit log destinations, select Events & Jobs > Audit Logs, then click Manage Audit Destinations in the upper right of the screen.
Click
, or click in the Host Address column to edit or delete entries.
-
For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.
cluster1::> cluster log-forwarding create -destination 192.168.123.96 -port 514 -facility user cluster1::> cluster log-forwarding create -destination 192.168.123.98 -port 514 -protocol tcp-encrypted -facility user
-
If the
cluster log-forwarding createcommand cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the-forceparameter with the command bypasses the connectivity verification. -
When you set the
-verify-serverparameter totrue, the identity of the log forwarding destination is verified by validating its certificate. You can set the value totrueonly when you select thetcp-encryptedvalue in the-protocolfield.
-
-
Verify that the destination records are correct by using the
cluster log-forwarding showcommand.cluster1::> cluster log-forwarding show Verify Syslog Destination Host Port Protocol Server Facility ------------------------- ------ -------- ------ -------- 192.168.123.96 514 udp-unencrypted false user 192.168.123.98 514 tcp-encrypted true user 2 entries were displayed.
See the man pages for details.