Display audit log contents

Contributors netapp-forry

You can display the contents of the cluster’s /mroot/etc/log/mlog/audit.log files by using the ONTAP CLI, System Manager, or a web browser.

The cluster’s log file entries include the following:

Time

The log entry timestamp.

Application

The application used to connect to the cluster. Examples of possible values are internal, console, ssh, http, ontapi, snmp, rsh, telnet, and service-processor.

User

The username of the remote user.

State

The current state of the audit request, which could be success, pending, or error.

Message

An optional field that might contain error or additional information about the status of a command.

Session ID

The session ID on which the request is received. Each SSH session is assigned a session ID, while each HTTP, ONTAPI, or SNMP request is assigned a unique session ID.

Storage VM

The SVM through which the user connected.

Scope

Displays svm when the request is on a data storage VM; otherwise displays cluster.

Command ID

The ID for each command received on a CLI session. This enables you to correlate a request and response. ZAPI, HTTP, and SNMP requests do not have command IDs.

You can display the cluster’s log entries from the ONTAP CLI, from a web browser, and beginning with ONTAP 9.11.1, from System Manager.

System Manager
  • To display the inventory, select Events & Jobs > Audit Logs.
    Each column has controls to filter, sort, search, show, and inventory categories. The inventory details can be downloaded as an Excel workbook.

  • To set filters, click the Filter button on the upper right side, then select the desired fields.
    You can also view all the commands executed in the session in which a failure occurred by clicking on the Session ID link.

CLI

To display audit entries merged from multiple nodes in the cluster, enter:
security audit log show [parameters]

You can use the security audit log show command to display audit entries for individual nodes or merged from multiple nodes in the cluster. You can also display the content of the /mroot/etc/log/mlog directory on a single node by using a web browser. See the man page for details.

Web browser

You can display the content of the /mroot/etc/log/mlog directory on a single node by using a web browser. Learn about how to access a node’s log, core dump, and MIB files by using a web browser.