REST API reference
A newer release of this product is available.
Protocols audit endpoint overview
Contributors
Suggest changes
PDFs
Overview
Auditing for NAS events is a security measure that enables you to track and log certain CIFS and NFS events on storage virtual machines (SVMs). This helps you track potential security problems and provides evidence of any security breaches.
Examples
Creating an audit entry with log rotation size and log retention count
To create an audit entry with log rotation size and log retention count, use the following API. Note the return_records=true query parameter is used to obtain the newly created entry in the response.
# The API:
POST /api/protocols/audit/
# The call:
curl -X POST "https://<mgmt-ip>/api/protocols/audit" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"enabled\": true, \"events\": { \"authorization_policy\": false, \"cap_staging\": false, \"cifs_logon_logoff\": true, \"file_operations\": true, \"file_share\": false, \"security_group\": false, \"user_account\": false }, \"log\": { \"format\": \"evtx\", \"retention\": { \"count\": 10 }, \"rotation\": { \"size\": 2048000 }}, \"log_path\": \"/\", \"svm\": { \"name\": \"vs1\", \"uuid\": \"ec650e97-156e-11e9-abcb-005056bbd0bf\" }}"
# The response:
{
"records": [
{
"svm": {
"uuid": "ec650e97-156e-11e9-abcb-005056bbd0bf",
"name": "vs1"
},
"enabled": true,
"events": {
"authorization_policy": false,
"cap_staging": false,
"cifs_logon_logoff": true,
"file_operations": true,
"file_share": false,
"security_group": false,
"user_account": false
},
"log": {
"format": "evtx",
"rotation": {
"size": 2048000
},
"retention": {
"count": 10,
"duration": "0s"
}
},
"log_path": "/"
}
],
"num_records": 1
}
Creating an audit entry with log rotation schedule and log retention duration
To create an audit entry with log rotation schedule and log retention duration, use the following API. Note that the return_records=true query parameter is used to obtain the newly created entry in the response.
# The API:
POST /api/protocols/audit/
# The call:
curl -X POST "https://<mgmt-ip>/api/protocols/audit" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"enabled\": false, \"events\": { \"authorization_policy\": false, \"cap_staging\": false, \"cifs_logon_logoff\": true, \"file_operations\": true, \"file_share\": false, \"security_group\": false, \"user_account\": false }, \"log\": { \"format\": \"xml\", \"retention\": { \"duration\": \"P4DT12H30M5S\" }, \"rotation\": { \"schedule\": { \"days\": [1, 5, 10, 15], \"hours\": [0, 1, 6, 12, 18, 23], \"minutes\": [10, 15, 30, 45, 59], \"months\": [0], \"weekdays\": [0, 2, 5] } } }, \"log_path\": \"/\", \"svm\": { \"name\": \"vs3\", \"uuid\": \"a8d64674-13fc-11e9-87b1-005056a7ae7e\" }}"
# The response:
{
"records": [
{
"svm": {
"uuid": "a8d64674-13fc-11e9-87b1-005056a7ae7e",
"name": "vs3"
},
"enabled": true,
"events": {
"authorization_policy": false,
"cap_staging": false,
"cifs_logon_logoff": true,
"file_operations": true,
"file_share": false,
"security_group": false,
"user_account": false
},
"log": {
"format": "xml",
"rotation": {
"schedule": {
"minutes": [
10,
15,
30,
45,
59
],
"hours": [
0,
1,
6,
12,
18,
23
],
"weekdays": [
0,
2,
5
],
"days": [
1,
5,
10,
15
],
"months": [
0
]
}
},
"retention": {
"count": 0,
"duration": "P4DT12H30M5S"
}
},
"log_path": "/"
}
],
"num_records": 1
}
Retrieving an audit configuration for all SVMs in the cluster
# The API:
GET /api/protocols/audit/
# The call:
curl -X GET "https://<mgmt-ip>/api/protocols/audit?fields=*&return_records=true&return_timeout=15" -H "accept: application/json"
# The response:
{
"records": [
{
"svm": {
"uuid": "ec650e97-156e-11e9-abcb-005056bbd0bf",
"name": "vs1"
},
"enabled": true,
"events": {
"authorization_policy": false,
"cap_staging": false,
"cifs_logon_logoff": true,
"file_operations": true,
"file_share": false,
"security_group": false,
"user_account": false
},
"log": {
"format": "evtx",
"rotation": {
"size": 2048000
},
"retention": {
"count": 10,
"duration": "0s"
}
},
"log_path": "/"
},
{
"svm": {
"uuid": "a8d64674-13fc-11e9-87b1-005056a7ae7e",
"name": "vs3"
},
"enabled": true,
"events": {
"authorization_policy": false,
"cap_staging": false,
"cifs_logon_logoff": true,
"file_operations": true,
"file_share": false,
"security_group": false,
"user_account": false
},
"log": {
"format": "xml",
"rotation": {
"schedule": {
"minutes": [
10,
15,
30,
45,
59
],
"hours": [
0,
1,
6,
12,
18,
23
],
"weekdays": [
0,
2,
5
],
"days": [
1,
5,
10,
15
],
"months": [
0
]
}
},
"retention": {
"count": 0,
"duration": "P4DT12H30M5S"
}
},
"log_path": "/"
}
],
"num_records": 2
}
Retrieving specific entries with event list as cifs-logon-logoff, file-ops = true for an SVM
The configuration returned is identified by the events in the list of audit configurations for an SVM.
# The API:
GET /api/protocols/audit/
# The call:
curl -X GET "https://<mgmt-ip>/api/protocols/audit?events.file_operations=true&events.cifs_logon_logoff=true&return_records=true&return_timeout=15" -H "accept: application/json"
# The response:
{
"records": [
{
"svm": {
"uuid": "ec650e97-156e-11e9-abcb-005056bbd0bf",
"name": "vs1"
},
"events": {
"cifs_logon_logoff": true,
"file_operations": true
}
},
{
"svm": {
"uuid": "a8d64674-13fc-11e9-87b1-005056a7ae7e",
"name": "vs3"
},
"events": {
"cifs_logon_logoff": true,
"file_operations": true
}
}
],
"num_records": 2
}
Retrieving a specific audit configuration for an SVM
The configuration returned is identified by the UUID of its SVM.
# The API:
GET /api/protocols/audit/{svm.uuid}
# The call:
curl -X GET "https://<mgmt-ip>/api/protocols/audit/ec650e97-156e-11e9-abcb-005056bbd0bf" -H "accept: application/json"
# The response:
{
"svm": {
"uuid": "ec650e97-156e-11e9-abcb-005056bbd0bf",
"name": "vs1"
},
"enabled": true,
"events": {
"authorization_policy": false,
"cap_staging": false,
"cifs_logon_logoff": true,
"file_operations": true,
"file_share" : false,
"security_group": false,
"user_account": false
},
"log": {
"format": "evtx",
"rotation": {
"size": 2048000
},
"retention": {
"count": 10,
"duration": "0s"
}
},
"log_path": "/"
}
Updating a specific audit configuration of an SVM
The configuration is identified by the UUID of its SVM and the provided information is updated.
# The API:
PATCH /api/protocols/audit/{svm.uuid}
# The call:
curl -X PATCH "https://<mgmt-ip>/api/protocols/audit/ec650e97-156e-11e9-abcb-005056bbd0bf" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"enabled\": false}"
Deleting a specific audit configuration for an SVM
The entry to be deleted is identified by the UUID of its SVM.
# The API:
DELETE /api/protocols/audit/{svm.uuid}
# The call:
curl -X DELETE "https://<mgmt-ip>/api/protocols/audit/ec650e97-156e-11e9-abcb-005056bbd0bf" -H "accept: application/json"