Skip to main content

Manage audit log destinations

Contributors netapp-barbe netapp-forry netapp-thomi netapp-aherbin
PDFs

You can forward the audit log to a maximum of 10 destinations. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

About this task

To configure forwarding, you must provide the IP address of the syslog or Splunk host, its port number, a transmission protocol, and the syslog facility to use for the forwarded logs. Learn about syslog facilities.

You can select one of the following transmission values using the -protocol parameter:

UDP Unencrypted

User Datagram Protocol with no security (default)

TCP Unencrypted

Transmission Control Protocol with no security

TCP Encrypted

Transmission Control Protocol with Transport Layer Security (TLS)
A Verify server option is available when the TCP Encrypted protocol is selected.

The default port is 514 for UDP and 6514 for TCP, but you can designate any port that meets the needs of your network.

You can select one of the following message formats using the -message-format command:

legacy-netapp

A variation of the RFC-3164 Syslog format (format: <PRIVAL>TIMESTAMP HOSTNAME: MSG)

rfc-5424

Syslog format as per RFC-5424 (format: <PRIVAL>VERSION TIMESTAMP HOSTNAME: MSG)

You can forward audit logs from the ONTAP CLI, and beginning with ONTAP 9.11.1, from System Manager.

System Manager

  • To display audit log destinations, select Cluster >Settings.
    A count of log destinations is shown in the Notification Management tile. Click Menu options icon to show details.

  • To add, modify, or delete audit log destinations, select Events & Jobs > Audit Logs, then click Manage Audit Destinations in the upper right of the screen.
    Click Add icon, or click Menu options icon in the Host Address column to edit or delete entries.

CLI

  1. For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.

    cluster1::> cluster log-forwarding create -destination 192.168.123.96
-port 514 -facility user

cluster1::> cluster log-forwarding create -destination 192.168.123.98
-port 6514 -protocol tcp-encrypted -facility user

    • If the cluster log-forwarding create command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the -force parameter with the command bypasses the connectivity verification.

    • When you set the -verify-server parameter to true, the identity of the log forwarding destination is verified by validating its certificate. You can set the value to true only when you select the tcp-encrypted value in the -protocol field.

  2. Verify that the destination records are correct by using the cluster log-forwarding show command.

    cluster1::> cluster log-forwarding show

                                                 Verify Syslog
Destination Host          Port   Protocol        Server Facility
------------------------- ------ --------        ------ --------
192.168.123.96            514    udp-unencrypted false  user
192.168.123.98            6514   tcp-encrypted   true   user
2 entries were displayed.

See the cluster log-forwarding create man page for details.