Skip to main content

Plan the auditing configuration

Contributors netapp-barbe netapp-aherbin netapp-thomi netapp-dbagwell netapp-forry netapp-ahibbard

Before you configure auditing on storage virtual machines (SVMs), you must understand which configuration options are available and plan the values that you want to set for each option. This information can help you configure the auditing configuration that meets your business needs.

There are certain configuration parameters that are common to all auditing configurations.

Additionally, there are certain parameters that you can use to specify which methods are used when rotating the consolidated and converted audit logs. You can specify one of the three following methods when you configure auditing:

  • Rotate logs based on log size

    This is the default method used to rotate logs.

  • Rotate logs based on a schedule

  • Rotate logs based on log size and schedule (whichever event occurs first)

Note

At least one of the methods for log rotation should always be set.

Parameters common to all auditing configurations

There are two required parameters that you must specify when you create the auditing configuration. There are also three optional parameters that you can specify:

Type of information

Option

Required

Include

Your values

SVM name

Name of the SVM on which to create the auditing configuration. The SVM must already exist.

-vserver vserver_name

Yes

Yes

Log destination path

Specifies the directory where the converted audit logs are stored, typically a dedicated volume or qtree. The path must already exist in the SVM namespace.

The path can be up to 864 characters in length and must have read-write permissions.

If the path is not valid, the audit configuration command fails.

If the SVM is an SVM disaster recovery source, the log destination path cannot be on the root volume. This is because root volume content is not replicated to the disaster recovery destination.

You cannot use a FlexCache volume as a log destination (ONTAP 9.7 and later).

-destination text

Yes

Yes

Categories of events to audit

Specifies the categories of events to audit. The following event categories can be audited:

  • File access events (both SMB and NFSv4)

  • SMB logon and logoff events

  • Central access policy staging events

    Central access policy staging events are available beginning with Windows 2012 Active Directory domains.

  • Async-delete

  • File share category events

  • Audit policy change events

  • Local user account management events

  • Security group management events

  • Authorization policy change events

The default is to audit file access and SMB logon and logoff events.

Note: Before you can specify cap-staging as an event category, a SMB server must exist on the SVM. Although you can enable central access policy staging in the auditing configuration without enabling Dynamic Access Control on the SMB server, central access policy staging events are generated only if Dynamic Access Control is enabled. Dynamic Access Control is enabled through a SMB server option. It is not enabled by default.

-events {file-ops|cifs-logon-logoff|cap-staging|file-share|audit-policy-change|user-account|security-group|authorization-policy-change|async-delete}

No

Log file output format

Determines the output format of the audit logs. The output format can be either ONTAP-specific XML or Microsoft Windows EVTX log format. By default, the output format is EVTX.

-format {xml|evtx}

No

Log files rotation limit

Determines how many audit log files to retain before rotating the oldest log file out. For example, if you enter a value of 5, the last five log files are retained.

A value of 0 indicates that all the log files are retained. The default value is 0.

-rotate-limit integer

No

Parameters used for determining when to rotate audit event logs

Rotate logs based on log size

The default is to rotate audit logs based on size.

  • The default log size is 100 MB

  • If you want to use the default log rotation method and the default log size, you do not need to configure any specific parameters for log rotation.

  • If you want to rotate the audit logs based on a log size alone, use the following command to unset the -rotate-schedule-minute parameter: vserver audit modify -vserver vs0 -destination / -rotate-schedule-minute -

If you do not want to use the default log size, you can configure the -rotate-size parameter to specify a custom log size:

Type of information

Option

Required

Include

Your values

Log file size limit

Determines the audit log file size limit.

-rotate-size {integer[KB|MB|GB|TB|PB]}

No

Rotate logs based on a schedule

If you choose to rotate the audit logs based on a schedule, you can schedule log rotation by using the time-based rotation parameters in any combination.

  • If you use time-based rotation, the -rotate-schedule-minute parameter is mandatory.

  • All other time-based rotation parameters are optional.

  • The rotation schedule is calculated by using all the time-related values.

    For example, if you specify only the -rotate-schedule-minute parameter, the audit log files are rotated based on the minutes specified on all days of the week, during all hours on all months of the year.

  • If you specify only one or two time-based rotation parameters (for example, -rotate-schedule-month and -rotate-schedule-minutes), the log files are rotated based on the minute values that you specified on all days of the week, during all hours, but only during the specified months.

    For example, you can specify that the audit log is to be rotated during the months January, March, and August on all Mondays, Wednesdays, and Saturdays at 10:30 a.m.

  • If you specify values for both -rotate-schedule-dayofweek and -rotate-schedule-day, they are considered independently.

    For example, if you specify -rotate-schedule-dayofweek as Friday and -rotate-schedule-day as 13, then the audit logs would be rotated on every Friday and on the 13th day of the specified month, not just on every Friday the 13th.

  • If you want to rotate the audit logs based on a schedule alone, use the following command to unset the -rotate-size parameter: vserver audit modify -vserver vs0 -destination / -rotate-size -

You can use the following list of available auditing parameters to determine what values to use for configuring a schedule for audit event log rotations:

Type of information

Option

Required

Include

Your values

Log rotation schedule: Month

Determines the monthly schedule for rotating audit logs.

Valid values are January through December, and all. For example, you can specify that the audit log is to be rotated during the months January, March, and August.

-rotate-schedule-month chron_month

No

Log rotation schedule: Day of week

Determines the daily (day of week) schedule for rotating audit logs.

Valid values are Sunday through Saturday, and all. For example, you can specify that the audit log is to be rotated on Tuesdays and Fridays, or during all the days of a week.

-rotate-schedule-dayofweek chron_dayofweek

No

Log rotation schedule: Day

Determines the day of the month schedule for rotating the audit log.

Valid values range from 1 through 31. For example, you can specify that the audit log is to be rotated on the 10th and 20th days of a month, or all days of a month.

-rotate-schedule-day chron_dayofmonth

No

Log rotation schedule: Hour

Determines the hourly schedule for rotating the audit log.

Valid values range from 0 (midnight) to 23 (11:00 p.m.). Specifying all rotates the audit logs every hour. For example, you can specify that the audit log is to be rotated at 6 (6 a.m.) and 18 (6 p.m.).

-rotate-schedule-hour chron_hour

No

Log rotation schedule: Minute

Determines the minute schedule for rotating the audit log.

Valid values range from 0 to 59. For example, you can specify that the audit log is to be rotated at the 30th minute.

-rotate-schedule-minute chron_minute

Yes, if configuring schedule-based log rotation; otherwise, no.

Rotate logs based on log size and schedule

You can choose to rotate the log files based on log size and a schedule by setting both the -rotate-size parameter and the time-based rotation parameters in any combination. For example: if -rotate-size is set to 10 MB and -rotate-schedule-minute is set to 15, the log files rotate when the log file size reaches 10 MB or on the 15th minute of every hour (whichever event occurs first).