Skip to main content

Storage administrative system auditing

Contributors netapp-aherbin netapp-dbagwell
PDFs

Ensure the integrity of event auditing by offloading ONTAP events to a remote syslog server. This server could be a security information event management system such as Splunk.

Send out syslog

Log and audit information is invaluable to an organization from a support and availability standpoint. In addition, the information and details contained in logs (syslog) and audit reports and outputs are generally of a sensitive nature. To maintain security controls and posture, it is imperative that organizations manage log and audit data in a secure manner.

Offloading of syslog information is necessary for limiting the scope or footprint of a breach to a single system or solution. Therefore, NetApp recommends securely offloading syslog information to a secure storage or retention location.

Create a log-forwarding destination

Use the cluster log-forwarding create command to create log-forwarding destinations for remote logging.

Parameters

Use the following parameters to configure the cluster log-forwarding create command:

  • Destination host. This name is the host name or IPv4 or IPv6 address of the server to which to forward the logs.

    -destination <Remote InetAddress>

  • Destination port. This is the port on which the destination server listens.

    [-port <integer>]

  • Log-forwarding protocol. This protocol is used for sending messages to the destination.

    [-protocol \{udp-unencrypted|tcp-unencrypted|tcp-encrypted}]

    The log-forwarding protocol can use one of the following values:

    • udp-unencrypted. User Datagram Protocol with no security.

    • tcp-unencrypted. TCP with no security.

    • tcp-encrypted. TCP with Transport Layer Security (TLS).

  • Verify destination server identity. When this parameter is set to true, the identity of the log-forwarding destination is verified by validating its certificate. The value can be set to true only when the tcpencrypted value is selected in the protocol field.

    [-verify-server \{true|false}]

  • Syslog facility. This value is the syslog facility to use for the forwarded logs.

    [-facility <Syslog Facility>]

  • Skip the connectivity test. Normally, the cluster log-forwarding create command checks that the destination is reachable by sending an Internet Control Message Protocol (ICMP) ping and fails if it is not reachable. Setting this value to true bypasses the ping check so that you can configure the destination when it is unreachable.

    [-force [true]]
Note NetApp recommends using the cluster log-forwarding command to force the connection to a -tcp-encrypted type.

Event notification

Securing the information and data leaving a system is vital to maintaining and managing the system's security posture. The events generated by the ONTAP solution provide a wealth of information about what the solution is encountering, the information processed, and more. The vitality of this data highlights the need to manage and migrate it in a secure manner.

The event notification create command sends a new notification of a set of events defined by an event filter to one or more notification destinations. The following examples depict the event notification configuration and the event notification show command, which displays the configured event notification filters and destinations.

cluster1::> event notification create -filter-name filter1 -destinations
 email_dest,syslog_dest,snmp-traphost

cluster1::> event notification show
ID     Filter Name       Destinations
-----  ----------------  -----------------
1 filter1 email_dest, syslog_dest, snmp-traphost