Release notes
Manage audit log destinations
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
You can forward the audit log to a maximum of 10 destinations. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.
To configure forwarding, you must provide the IP address of the syslog or Splunk host, its port number, a transmission protocol, and the syslog facility to use for the forwarded logs. Learn about syslog facilities.
You can select one of the following transmission values using the -protocol parameter:
- UDP Unencrypted
-
User Datagram Protocol with no security (default)
- TCP Unencrypted
-
Transmission Control Protocol with no security
- TCP Encrypted
-
Transmission Control Protocol with Transport Layer Security (TLS)
A Verify server option is available when the TCP Encrypted protocol is selected.
The default port is 514 for UDP and 6514 for TCP, but you can designate any port that meets the needs of your network.
You can select one of the following message formats using the -message-format command:
- legacy-netapp
-
A variation of the RFC-3164 Syslog format (format: <PRIVAL>TIMESTAMP HOSTNAME: MSG)
- rfc-5424
-
Syslog format as per RFC-5424 (format: <PRIVAL>VERSION TIMESTAMP HOSTNAME: MSG)
You can forward audit logs from the ONTAP CLI, and beginning with ONTAP 9.11.1, from System Manager.
-
To display audit log destinations, select Cluster >Settings.
A count of log destinations is shown in the Notification Management tile. Click
to show details. -
To add, modify, or delete audit log destinations, select Events & Jobs > Audit Logs, then click Manage Audit Destinations in the upper right of the screen.
Click
, or click in the Host Address column to edit or delete entries.
-
For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.
cluster1::> cluster log-forwarding create -destination 192.168.123.96 -port 514 -facility user cluster1::> cluster log-forwarding create -destination 192.168.123.98 -port 6514 -protocol tcp-encrypted -facility user
-
If the
cluster log-forwarding createcommand cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the-forceparameter with the command bypasses the connectivity verification. -
When you set the
-verify-serverparameter totrue, the identity of the log forwarding destination is verified by validating its certificate. You can set the value totrueonly when you select thetcp-encryptedvalue in the-protocolfield.
-
-
Verify that the destination records are correct by using the
cluster log-forwarding showcommand.cluster1::> cluster log-forwarding show Verify Syslog Destination Host Port Protocol Server Facility ------------------------- ------ -------- ------ -------- 192.168.123.96 514 udp-unencrypted false user 192.168.123.98 6514 tcp-encrypted true user 2 entries were displayed.
Learn more about cluster log-forwarding create in the ONTAP command reference.
