security audit log show
Display audit entries merged from multiple nodes in the cluster
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security audit log show
command displays cluster-wide audit log messages. Messages from each node are interleaved in chronological order.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-detail ]
-
This display option shows the individual fields of the audit record.
- |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-timestamp <Date>]
- Log Entry Timestamp-
Selects the entries that match the specified input for timestamp. This will be in a human-readable format <day> <month> <day of month> <hour>:<min>:<sec> <year> in the local timezone.
[-node {<nodename>|local}]
- Node-
Selects the entries that match the specified input for node.
[-entry <text>]
- Log Message Entry-
Selects the entries that match the specified input for entry.
[-session-id <text>]
- Session ID-
This is the "session id" for this audit record. Each ssh/console session is assigned a unique session ID. Each ZAPI/HTTP/SNMP request is assigned a uniqueue session ID
[-command-id <text>]
- Command ID-
This is useful with ssh/console sessions. Each command in a session is assigned a unique command ID. Each ZAPI/HTTP/SNMP request does not have a command ID.
[-application <text>]
- Protocol-
This is the application used to connect to the cluster. Possible values include the following: internal, console, ssh, http, ontapi, snmp, rsh, telnet, service-processor
[-location <text>]
- Remote user location-
The remote IP address or remote access point.
[-vserver <text>]
- Vserver name-
Storage Virtual Machine name
[-username <text>]
- Username-
Username
[-input <text>]
- Command being executed-
The operation being attempted
[-state {Pending|Success|Error}]
- State of this audit request-
State of this request
[-message <text>]
- Additional information and/or error message-
Additional information which may be error or informative message.
Examples
The following example displays specific fields based on a custom query:
cluster1::> security audit log show -fields application, location, state, input, message -location 10.60.* -state Error|Success -input v*|st* -timestamp >"Jul 10 12:00:00 2020" timestamp node application location input state message -------------------------- ----- ----------- ------------ ------------------------------------------ ------- ------- "Fri Jul 17 11:32:44 2020" node1 ssh 10.60.250.79 storage aggregate create test -diskcount 5 Success - "Fri Jul 17 11:36:47 2020" node1 ssh 10.60.250.79 vserver create vs1 Success - "Fri Jul 17 11:37:33 2020" node1 ssh 10.60.250.79 volume create vol1 Error One of the following parameters is required: -aggregate, -aggr-list, -auto-provision-as "Fri Jul 17 11:38:08 2020" node1 ssh 10.60.250.79 volume create vol1 -aggregate test Success - Some more examples for -timestamp usage: cluster1::> security audit log show -timestamp "Mon Jan 03 18:37:05 2022" Time Node Audit Message ------------------------ ----------- ----------------------- Mon Jan 03 18:37:05 2022 node1 [kern_audit:info:988] mlogd: started cluster1::> security audit log show -timestamp Mon Jan 03 * Time Node Audit Message ------------------------ ----------- ----------------------- Mon Jan 03 18:37:05 2022 node1 [kern_audit:info:988] mlogd: started Mon Jan 03 18:37:06 2022 node2 [kern_audit:info:988] mlogd: started Mon Jan 03 18:41:25 2022 node1 [kern_audit:info:977] mlogd: started Mon Jan 03 18:41:25 2022 node2 [kern_audit:info:977] mlogd: started cluster1::> security audit log show -timestamp Mon Jan 03 18:37* Time Node Audit Message ------------------------ ----------- ----------------------- Mon Jan 03 18:37:05 2022 node1 [kern_audit:info:988] mlogd: started Mon Jan 03 18:37:06 2022 node2 [kern_audit:info:988] mlogd: started 2 entries were displayed.