Create an audit configuration
POST /protocols/audit
Creates an audit configuration.
Required properties
-
svm.uuid
orsvm.name
- Existing SVM to which audit configuration is to be created. -
log_path
- Path in the owning SVM namespace that is used to store audit logs.
Default property values
If not specified in POST, the following default property values are assigned:
-
enabled
- true -
events.authorization_policy
- false -
events.cap_staging
- false -
events.file_share
- false -
events.security_group
- false -
events.user_account
- false -
events.cifs_logon_logoff
- true -
events.file_operations
- true -
log.format
- evtx -
log.retention.count
- 0 -
log.retention.duration
- PT0S -
log.rotation.size
- 100MB -
log.rotation.now
- false
Related ONTAP commands
-
vserver audit create
-
vserver audit enable
Learn more
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_timeout |
integer |
query |
False |
The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202. |
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned. |
Request Body
Response
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
262196 |
Log_rotation_now is not an allowed operation |
2621462 |
The specified SVM does not exist |
9699330 |
An audit configuration already exists |
9699337 |
Audit system internal update is in progress, audit configuration create failed |
9699340 |
SVM UUID lookup failed |
9699358 |
Audit configuration is absent for enabling |
9699359 |
Audit configuration is already enabled |
9699360 |
Final consolidation is in progress, audit enable failed |
9699365 |
Enabling of audit configuration failed |
9699370 |
Auditing was successfully configured, however audit configuration could not be enabled |
9699384 |
The specified log_path does not exist |
9699385 |
The log_path must be a directory |
9699386 |
The log_path must be a canonical path in the SVMs namespace |
9699387 |
The log_path cannot be empty |
9699388 |
Rotate size must be greater than or equal to 1024 KB |
9699389 |
The log_path must not contain a symbolic link |
9699398 |
The log_path exceeds a maximum supported length of characters |
9699399 |
The log_path contains an unsupported read-only (DP/LS) volume |
9699400 |
The specified log_path is not a valid destination for SVM |
9699402 |
The log_path contains an unsupported snaplock volume |
9699403 |
The log_path cannot be accessed for validation |
9699406 |
The log_path validation failed |
9699409 |
Failed to enable multiproto.audit.evtxlog.support support capability |
9699428 |
All nodes need to run ONTAP 8.3.0 release to audit CIFS logon-logoff events |
9699429 |
Failed to enable multiproto.audit.cifslogonlogoff.support support capability |
9699431 |
All nodes need to run ONTAP 8.3.0 release to audit CAP staging events |
9699432 |
Failed to enable multiproto.audit.capstaging.support support capability |
Name | Type | Description |
---|---|---|
error |
Example error
Definitions
See Definitions
events
Name | Type | Description |
---|---|---|
authorization_policy |
boolean |
Authorization policy change events |
cap_staging |
boolean |
Central access policy staging events |
cifs_logon_logoff |
boolean |
CIFS logon and logoff events |
file_operations |
boolean |
File operation events |
file_share |
boolean |
File share category events |
security_group |
boolean |
Local security group management events |
user_account |
boolean |
Local user account management events |
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
retention
Name | Type | Description |
---|---|---|
count |
integer |
Determines how many audit log files to retain before rotating the oldest log file out. This is mutually exclusive with duration. |
duration |
string |
Specifies an ISO-8601 format date and time to retain the audit log file. The audit log files are deleted once they reach the specified date/time. This is mutually exclusive with count. |
audit_schedule
Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values.
Name | Type | Description |
---|---|---|
days |
array[integer] |
Specifies the day of the month schedule to rotate audit log. Leave empty for all. |
hours |
array[integer] |
Specifies the hourly schedule to rotate audit log. Leave empty for all. |
minutes |
array[integer] |
Specifies the minutes schedule to rotate the audit log. |
months |
array[integer] |
Specifies the months schedule to rotate audit log. Leave empty for all. |
weekdays |
array[integer] |
Specifies the weekdays schedule to rotate audit log. Leave empty for all. |
rotation
Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file.
Name | Type | Description |
---|---|---|
now |
boolean |
Manually rotates the audit logs. Optional in PATCH only. Not available in POST. |
schedule |
Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values. |
|
size |
integer |
Rotates logs based on log size in bytes. |
log
Name | Type | Description |
---|---|---|
_links |
||
format |
string |
The format in which the logs are generated by consolidation process. Possible values are:
|
retention |
||
rotation |
Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file. |
svm
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
audit
Auditing for NAS events is a security measure that enables you to track and log certain CIFS and NFS events on SVMs.
Name | Type | Description |
---|---|---|
enabled |
boolean |
Specifies whether or not auditing is enabled on the SVM. |
events |
||
log |
||
log_path |
string |
The audit log destination path where consolidated audit logs are stored. |
svm |
_links
Name | Type | Description |
---|---|---|
next |
||
self |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |