Skip to main content
A newer release of this product is available.

Update the audit configuration for an SVM

Contributors
PDFs

PATCH /protocols/audit/{svm.uuid}

Introduced In: 9.6

Updates an audit configuration for an SVM.

  • vserver audit modify

Learn more

Parameters

Name Type In Required Description

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

svm.uuid

string

path

True

UUID of the SVM to which this object belongs.

Request Body

Name Type Description

enabled

boolean

Specifies whether or not auditing is enabled on the SVM.

events

events

log

log

log_path

string

The audit log destination path where consolidated audit logs are stored.

svm

svm
Example request 
{
  "log": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "format": "xml",
    "retention": {
      "duration": "P4DT12H30M5S"
    },
    "rotation": {
      "schedule": {
        "days": {
        },
        "hours": {
        },
        "minutes": {
        },
        "months": {
        },
        "weekdays": {
        }
      }
    }
  },
  "svm": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  }
}

Response

Status: 202, Accepted

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

9699340

SVM UUID lookup failed

9699343

Audit configuration is absent for modification

9699358

Audit configuration is absent for enabling

9699359

Audit configuration is already enabled

9699360

Final consolidation is in progress, audit enable failed

9699365

Enabling of audit configuration failed

9699373

Audit configuration is absent for disabling

9699374

Audit configuration is already disabled

9699375

Disabling of audit configuration failed

9699384

The specified log_path does not exist

9699385

The log_path must be a directory

9699386

The log_path must be a canonical path in the SVMs namespace

9699387

The log_path cannot be empty

9699388

Rotate size must be greater than or equal to 1024 KB

9699389

The log_path must not contain a symbolic link

9699398

The log_path exceeds a maximum supported length of characters

9699399

The log_path contains an unsupported read-only (DP/LS) volume

9699400

The specified log_path is not a valid destination for SVM

9699402

The log_path contains an unsupported snaplock volume

9699403

The log_path cannot be accessed for validation

9699406

The log_path validation failed

9699407

Additional fields are provided

9699409

Failed to enable multiproto.audit.evtxlog.support support capability

9699410

Failed to disable multiproto.audit.evtxlog.support support capability

9699418

Audit configuration is absent for rotate

9699419

Failed to rotate audit log

9699420

Cannot rotate audit log, auditing is not enabled for this SVM

9699428

All nodes need to run ONTAP 8.3.0 release to audit CIFS logon-logoff events

9699429

Failed to enable multiproto.audit.cifslogonlogoff.support support capability

9699430

Failed to disable multiproto.audit.cifslogonlogoff.support support capability

9699431

All nodes need to run ONTAP 8.3.0 release to audit CAP staging events

9699432

Failed to enable multiproto.audit.capstaging.support support capability

9699433

Failed to disable multiproto.audit.capstaging.support support capability
Name Type Description

error

error
Example error 
{
  "error": {
    "arguments": {
      "code": "string",
      "message": "string"
    },
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

events

Name Type Description

authorization_policy

boolean

Authorization policy change events

cap_staging

boolean

Central access policy staging events

cifs_logon_logoff

boolean

CIFS logon and logoff events

file_operations

boolean

File operation events

file_share

boolean

File share category events

security_group

boolean

Local security group management events

user_account

boolean

Local user account management events

href

Name Type Description

href

string

_links

Name Type Description

self

href

retention

Name Type Description

count

integer

Determines how many audit log files to retain before rotating the oldest log file out. This is mutually exclusive with duration.

duration

string

Specifies an ISO-8601 format date and time to retain the audit log file. The audit log files are deleted once they reach the specified date/time. This is mutually exclusive with count.

audit_schedule

Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values.

Name Type Description

days

array[integer]

Specifies the day of the month schedule to rotate audit log. Leave empty for all.

hours

array[integer]

Specifies the hourly schedule to rotate audit log. Leave empty for all.

minutes

array[integer]

Specifies the minutes schedule to rotate the audit log.

months

array[integer]

Specifies the months schedule to rotate audit log. Leave empty for all.

weekdays

array[integer]

Specifies the weekdays schedule to rotate audit log. Leave empty for all.

rotation

Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file.

Name Type Description

now

boolean

Manually rotates the audit logs. Optional in PATCH only. Not available in POST.

schedule

audit_schedule

Rotates the audit logs based on a schedule by using the time-based rotation parameters in any combination. The rotation schedule is calculated by using all the time-related values.

size

integer

Rotates logs based on log size in bytes.

log

Name Type Description

_links

_links

format

string

The format in which the logs are generated by consolidation process. Possible values are:

  • xml - Data ONTAP-specific XML log format

  • evtx - Microsoft Windows EVTX log format

    • Default value: 1

    • enum: ["xml", "evtx"]

    • Introduced in: 9.6

retention

retention

rotation

rotation

Audit event log files are rotated when they reach a configured threshold log size or are on a configured schedule. When an event log file is rotated, the scheduled consolidation task first renames the active converted file to a time-stamped archive file, and then creates a new active converted event log file.

svm

Name Type Description

_links

_links

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

audit

Auditing for NAS events is a security measure that enables you to track and log certain CIFS and NFS events on SVMs.

Name Type Description

enabled

boolean

Specifies whether or not auditing is enabled on the SVM.

events

events

log

log

log_path

string

The audit log destination path where consolidated audit logs are stored.

svm

svm

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.