Create and enable an S3 auditing configuration

Contributors

To implement S3 auditing, you first create a persistent object store auditing configuration on an S3-enabled SVM, then enable the configuration.

What you’ll need
  • An S3-enabled SVM.

  • Sufficient space for staging volumes in the aggregate.

About this task

An auditing configuration is required for each SVM that contains S3 buckets that you wish to audit. You can enable S3 auditing on new or existing S3 servers. Auditing configurations persist in an S3 environment until removed by the vserver object-store-server audit delete command.

The S3 auditing configuration applies to all buckets in the SVM that you select for auditing. An audit-enabled SVM can contain audited and un-audited buckets.

It is recommended that you configure S3 auditing for automatic log rotation, determined by log size or a schedule. If you don’t configure automatic log rotation, all log files are retained by default. You can also rotate S3 log files manually using the vserver object-store-server audit rotate-log command.

If the SVM is an SVM disaster recovery source, the destination path cannot be on the root volume.

Procedure
  1. Create the auditing configuration to rotate audit logs based on log size or a schedule.

    If you want to rotate audit logs by…​ Enter…​

    Log size

    vserver object-store-server audit create -vserver svm_name -destination path [[-events] {data|management}, …​] {[-rotate-limit integer] | [-retention-duration [integer_d] [_integer_h][_integer_m][_integers]]} [-rotate-size {integer[KB|MB|GB|TB|PB]}]

    A schedule

    vserver object-store-server audit create -vserver svm_name -destination path [[-events] {data|management}, …​] {[-rotate-limit integer] | [-retention-duration [integerd][integerh] [integerm][integers]] } [-rotate-schedule-month chron_month] [-rotate-schedule-dayofweek chron_dayofweek] [-rotate-schedule-day chron_dayofmonth] [-rotate-schedule-hour chron_hour] -rotate-schedule-minute chron_minute

    The -rotate-schedule-minute parameter is required if you are configuring time-based audit log rotation.

  2. Enable S3 auditing:

    vserver object-store-server audit enable -vserver svm_name

Examples

The following example creates an auditing configuration that audits all S3 events (the default) using size-based rotation. The logs are stored in the /audit_log directory. The log file size limit is 200 MB. The logs are rotated when they reach 200 MB in size.

cluster1::> vserver audit create -vserver vs1 -destination /audit_log -rotate-size 200MB

The following example creates an auditing configuration that audits all S3 events (the default) using size-based rotation. The log file size limit is 100 MB (the default), and the logs are retained for 5 days before being deleted.

cluster1::> vserver audit create -vserver vs1 -destination /audit_log -retention-duration 5d0h0m

The following example creates an auditing configuration that audits S3 management events, and central access policy staging events using time-based rotation. The audit logs are rotated monthly, at 12:30 p.m. on all days of the week. The log rotation limit is 5.

cluster1::> vserver audit create -vserver vs1 -destination /audit_log -events management -rotate-schedule-month all -rotate-schedule-dayofweek all -rotate-schedule-hour 12 -rotate-schedule-minute 30 -rotate-limit 5