Skip to main content
REST API reference
A newer release of this product is available.

Create an audit configuration

PDFs

POST /protocols/audit

Introduced In: 9.6

Creates an audit configuration.

Required properties

  • svm.uuid or svm.name - Existing SVM to which audit configuration is to be created.

  • log_path - Path in the owning SVM namespace that is used to store audit logs.

Default property values

If not specified in POST, the following default property values are assigned:

  • enabled - true

  • events.authorization_policy - false

  • events.cap_staging - false

  • events.file_share - false

  • events.security_group - false

  • events.user_account - false

  • events.cifs_logon_logoff - true

  • events.file_operations - true

  • log.format - evtx

  • log.retention.count - 0

  • log.retention.duration - PT0S

  • log.rotation.size - 100MB

  • log.rotation.now - false

  • guarantee - true

  • vserver audit create

  • vserver audit enable

Learn more

Parameters

Name Type In Required Description

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 0

  • Max value: 120

  • Min value: 0

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

enabled

boolean

Specifies whether or not auditing is enabled on the SVM.

events

events

guarantee

boolean

Indicates whether there is a strict Guarantee of Auditing

log

log

log_path

string

The audit log destination path where consolidated audit logs are stored.

svm

svm
Example request 
{
  "guarantee": "",
  "log": {
    "format": "string",
    "retention": {
      "duration": "P4DT12H30M5S"
    },
    "rotation": {
      "schedule": {
        "days": [
          "integer"
        ],
        "hours": [
          "integer"
        ],
        "minutes": [
          "integer"
        ],
        "months": [
          "integer"
        ],
        "weekdays": [
          "integer"
        ]
      }
    }
  },
  "log_path": "string",
  "svm": {
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  }
}

Response

Status: 202, Accepted
Name Type Description

num_records

integer

Number of records

records

array[audit]
Example response 
{
  "records": [
    {
      "guarantee": "",
      "log": {
        "format": "string",
        "retention": {
          "duration": "P4DT12H30M5S"
        },
        "rotation": {
          "schedule": {
            "days": [
              "integer"
            ],
            "hours": [
              "integer"
            ],
            "minutes": [
              "integer"
            ],
            "months": [
              "integer"
            ],
            "weekdays": [
              "integer"
            ]
          }
        }
      },
      "log_path": "string",
      "svm": {
        "name": "svm1",
        "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
      }
    }
  ]
}

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

262196

Log_rotation_now is not an allowed operation

2621462

The specified SVM does not exist

9699330

An audit configuration already exists

9699337

Audit system internal update is in progress, audit configuration create failed

9699340

SVM UUID lookup failed

9699358

Audit configuration is absent for enabling

9699359

Audit configuration is already enabled

9699360

Final consolidation is in progress, audit enable failed

9699365

Enabling of audit configuration failed

9699370

Auditing was successfully configured, however audit configuration could not be enabled

9699384

The specified log_path does not exist

9699385

The log_path must be a directory

9699386

The log_path must be a canonical path in the SVMs namespace

9699387

The log_path cannot be empty

9699388

Rotate size must be greater than or equal to 1024 KB

9699389

The log_path must not contain a symbolic link

9699398

The log_path exceeds a maximum supported length of characters

9699399

The log_path contains an unsupported read-only (DP/LS) volume

9699400

The specified log_path is not a valid destination for SVM

9699402

The log_path contains an unsupported snaplock volume

9699403

The log_path cannot be accessed for validation

9699406

The log_path validation failed

9699409

Failed to enable multiproto.audit.evtxlog.support support capability

9699428

All nodes need to run ONTAP 8.3.0 release to audit CIFS logon-logoff events

9699429

Failed to enable multiproto.audit.cifslogonlogoff.support support capability

9699431

All nodes need to run ONTAP 8.3.0 release to audit CAP staging events

9699432

Failed to enable multiproto.audit.capstaging.support support capability

Definitions

See Definitions

events

Name Type Description

authorization_policy

boolean

Authorization policy change events

cap_staging

boolean

Central access policy staging events

cifs_logon_logoff

boolean

CIFS logon and logoff events

file_operations

boolean

File operation events

file_share

boolean

File share category events

security_group

boolean

Local security group management events

user_account

boolean

Local user account management events

href

Name Type Description

href

string

_links

retention

Name Type Description

count

integer

Determines how many audit log files to retain before rotating the oldest log file out. This is mutually exclusive with duration.

duration

string

Specifies an ISO-8601 format date and time to retain the audit log file. The audit log files are deleted once they reach the specified date/time. This is mutually exclusive with count.

audit_schedule

Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values.

Name Type Description

days

array[integer]

Specifies the day of the month schedule to rotate audit log. Leave empty for all.

hours

array[integer]

Specifies the hourly schedule to rotate audit log. Leave empty for all.

minutes

array[integer]

Specifies the minutes schedule to rotate the audit log.

months

array[integer]

Specifies the months schedule to rotate audit log. Leave empty for all.

weekdays

array[integer]

Specifies the weekdays schedule to rotate audit log. Leave empty for all.

rotation

Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file.

Name Type Description

now

boolean

Manually rotates the audit logs. Optional in PATCH only. Not available in POST.

schedule

audit_schedule

Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values.

size

integer

Rotates logs based on log size in bytes.

log

Name Type Description

format

string

The format in which the logs are generated by consolidation process. Possible values are:

  • xml - Data ONTAP-specific XML log format

  • evtx - Microsoft Windows EVTX log format

    • Default value: 1

    • enum: ["xml", "evtx"]

    • Introduced in: 9.6

retention

retention

rotation

rotation

Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file.

svm

Name Type Description

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

audit

Auditing for NAS events is a security measure that enables you to track and log certain CIFS and NFS events on SVMs.

Name Type Description

enabled

boolean

Specifies whether or not auditing is enabled on the SVM.

events

events

guarantee

boolean

Indicates whether there is a strict Guarantee of Auditing

log

log

log_path

string

The audit log destination path where consolidated audit logs are stored.

svm

svm

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.