Forward the audit log to a destination

Contributors

You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

About this task

If the cluster log-forwarding create command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the -force parameter with the command bypasses the connectivity verification.

You can configure transmission security options when forwarding log files:

  • Protocols for sending messages to the destination

    You can select one of the following -protocol values:

    • udp-unencrypted: User Datagram Protocol with no security (default)

    • tcp-unencrypted: Transmission Control Protocol with no security

    • tcp-encrypted: Transmission Control Protocol with Transport Layer Security (TLS)

  • Verification of destination server identity

    When you set the -verify-server parameter to true, the identity of the log forwarding destination is verified by validating its certificate. You can set the value to true only when you select the tcp-encrypted value in the -protocol field.

Steps
  1. For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.

    cluster1::> cluster log-forwarding create -destination 192.168.123.96
    -port 514 -facility user
    
    cluster1::> cluster log-forwarding create -destination 192.168.123.98
    -port 514 -protocol tcp-encrypted -facility user
  2. Verify that the destination records are correct by using the cluster log-forwarding show command.

    cluster1::> cluster log-forwarding show
    
                                                     Verify Syslog
    Destination Host          Port   Protocol        Server Facility
    ------------------------- ------ --------        ------ --------
    192.168.123.96            514    udp-unencrypted false  user
    192.168.123.98            514    tcp-encrypted   true   user
    2 entries were displayed.

Related information