Before you configure auditing on storage virtual machines (SVMs), you must understand which configuration options are available and plan the values that you want to set for each option. This information can help you configure the auditing configuration that meets your business needs.
There are certain configuration parameters that are common to all auditing configurations.
Additionally, there are certain parameters that you can use to specify which methods are used when rotating the consolidated and converted audit logs. You can specify one of the three following methods when you configure auditing:
This is the default method used to rotate logs.
There are two required parameters that you must specify when you create the auditing configuration. There are also three optional parameters that you can specify:
Type of information | Option | Required | Include | Your values |
---|---|---|---|---|
SVM name Name of the SVM on which to create the auditing configuration. The SVM must already exist. |
-vserver vserver_name | Yes | Yes | |
Log destination path Specifies where the converted audit logs are stored. The path must already exist on the SVM. The path can be up to 864 characters in length and must have read-write permissions. If the path is not valid, the audit configuration command fails. If the SVM is an SVM disaster recovery source, the log destination path cannot be on the root volume. This is because root volume content is not replicated to the disaster recovery destination. You cannot use a FlexCache volume as a log destination (ONTAP 9.7 and later). |
-destination text | Yes | Yes | |
Categories of events to audit Specifies the categories of events to audit. The following event categories can be audited:
The default is to audit file access and CIFS logon and logoff events. Note: Before you can specify cap-staging as an event category, a CIFS server must exist on the SVM.
Although you can enable central access policy staging in the auditing configuration without enabling Dynamic Access Control on the CIFS server, central access policy staging events are generated only if Dynamic Access Control is enabled. Dynamic Access Control is enabled through a CIFS server option. It is not enabled by default. |
-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|security-group|authorization-policy-change} | No | ||
Log file output format Determines the output format of the audit logs. The output format can be either ONTAP-specific XML or Microsoft Windows EVTX log format. By default, the output format is EVTX. |
-format {xml|evtx} | No | ||
Log files rotation limit Determines how many audit log files to retain before rotating the oldest log file out. For example, if you enter a value of 5, the last five log files are retained. A value of 0 indicates that all the log files are retained. The default value is 0. |
-rotate-limit integer | No |
Rotate logs based on log size
Type of information | Option | Required | Include | Your values |
---|---|---|---|---|
Log file size limit Determines the audit log file size limit. |
-rotate-size {integer[KB|MB|GB|TB|PB]} | No |
Rotate logs based on a schedule
If you choose to rotate the audit logs based on a schedule, you can schedule log rotation by using the time-based rotation parameters in any combination.
For example, if you specify only the -rotate-schedule-minute parameter, the audit log files are rotated based on the minutes specified on all days of the week, during all hours on all months of the year.
For example, you can specify that the audit log is to be rotated during the months January, March, and August on all Mondays, Wednesdays, and Saturdays at 10:30 a.m.
For example, if you specify -rotate-schedule-dayofweek as Friday and -rotate-schedule-day as 13, then the audit logs would be rotated on every Friday and on the 13th day of the specified month, not just on every Friday the 13th.
You can use the following list of available auditing parameters to determine what values to use for configuring a schedule for audit event log rotations:
Type of information | Option | Required | Include | Your values |
---|---|---|---|---|
Log rotation schedule: Month Determines the monthly schedule for rotating audit logs. Valid values are January through December, and all. For example, you can specify that the audit log is to be rotated during the months January, March, and August. |
-rotate-schedule-month chron_month | No | ||
Log rotation schedule: Day of week Determines the daily (day of week) schedule for rotating audit logs. Valid values are Sunday through Saturday, and all. For example, you can specify that the audit log is to be rotated on Tuesdays and Fridays, or during all the days of a week. |
-rotate-schedule-dayofweek chron_dayofweek | No | ||
Log rotation schedule: Day Determines the day of the month schedule for rotating the audit log. Valid values range from 1 through 31. For example, you can specify that the audit log is to be rotated on the 10th and 20th days of a month, or all days of a month. |
-rotate-schedule-day chron_dayofmonth | No | ||
Log rotation schedule: Hour Determines the hourly schedule for rotating the audit log. Valid values range from 0 (midnight) to 23 (11:00 p.m.). Specifying all rotates the audit logs every hour. For example, you can specify that the audit log is to be rotated at 6 (6 a.m.) and 18 (6 p.m.). |
-rotate-schedule-hour chron_hour | No | ||
Log rotation schedule: Minute Determines the minute schedule for rotating the audit log. Valid values range from 0 to 59. For example, you can specify that the audit log is to be rotated at the 30th minute. |
-rotate-schedule-minute chron_minute | Yes, if configuring schedule-based log rotation; otherwise, no. |
Rotate logs based on log size and schedule
You can choose to rotate the log files based on log size and a schedule by setting both the -rotate-size parameter and the time-based rotation parameters in any combination. For example: if -rotate-size is set to 10 MB and -rotate-schedule-minute is set to 15, the log files rotate when the log file size reaches 10 MB or on the 15th minute of every hour (whichever event occurs first).