Display audit log contents
You can display the contents of the cluster's /mroot/etc/log/mlog/audit.log
files by using the ONTAP CLI, System Manager, or a web browser.
The cluster's log file entries include the following:
- Time
-
The log entry timestamp.
- Application
-
The application used to connect to the cluster. Examples of possible values are
internal
,console
,ssh
,http
,ontapi
,snmp
,rsh
,telnet
, andservice-processor
. - User
-
The username of the remote user.
- State
-
The current state of the audit request, which could be
success
,pending
, orerror
. - Message
-
An optional field that might contain error or additional information about the status of a command.
- Session ID
-
The session ID on which the request is received. Each SSH session is assigned a session ID, while each HTTP, ONTAPI, or SNMP request is assigned a unique session ID.
- Storage VM
-
The SVM through which the user connected.
- Scope
-
Displays
svm
when the request is on a data storage VM; otherwise displayscluster
. - Command ID
-
The ID for each command received on a CLI session. This enables you to correlate a request and response. ZAPI, HTTP, and SNMP requests do not have command IDs.
You can display the cluster's log entries from the ONTAP CLI, from a web browser, and beginning with ONTAP 9.11.1, from System Manager.
-
To display the inventory, select Events & Jobs > Audit Logs.
Each column has controls to filter, sort, search, show, and inventory categories. The inventory details can be downloaded as an Excel workbook. -
To set filters, click the Filter button on the upper right side, then select the desired fields.
You can also view all the commands executed in the session in which a failure occurred by clicking on the Session ID link.
To display audit entries merged from multiple nodes in the cluster, enter:
security audit log show <[parameters]>
You can use the security audit log show
command to display audit entries for individual nodes or merged from multiple nodes in the cluster. You can also display the content of the /mroot/etc/log/mlog
directory on a single node by using a web browser.
See the man page for details.
You can display the content of the /mroot/etc/log/mlog
directory on a single node by using a web browser. Learn about how to access a node’s log, core dump, and MIB files by using a web browser.