Manage audit log destinations
-
PDF of this doc site
- Cluster administration
-
Volume administration
- Logical storage management with the CLI
-
NAS storage management
- Configure NFS with the CLI
- Manage NFS with the CLI
-
Manage SMB with the CLI
- Manage file access using SMB
- Security and data encryption
- Data protection and disaster recovery
Collection of separate PDF docs
Creating your file...
You can forward the audit log to a maximum of 10 destinations. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.
To configure forwarding, you must provide the IP address of the syslog or Splunk host, its port number, a transmission protocol, and the syslog facility to use for the forwarded logs. Learn about syslog facilities.
You can select one of the following transmission values:
- UDP Unencrypted
-
User Datagram Protocol with no security (default)
- TCP Unencrypted
-
Transmission Control Protocol with no security
- TCP Encrypted
-
Transmission Control Protocol with Transport Layer Security (TLS)
A Verify server option is available when the TCP Encrypted protocol is selected.
You can forward audit logs from the ONTAP CLI, and beginning with ONTAP 9.11.1, from System Manager.
-
To display audit log destinations, select Cluster >Settings.
A count of log destinations is shown in the Notification Management tile. Click to show details. -
To add, modify, or delete audit log destinations, select Events & Jobs > Audit Logs, then click Manage Audit Destinations in the upper right of the screen.
Click , or click in the Host Address column to edit or delete entries.
-
For each destination that you want to forward the audit log to, specify the destination IP address or host name and any security options.
cluster1::> cluster log-forwarding create -destination 192.168.123.96 -port 514 -facility user cluster1::> cluster log-forwarding create -destination 192.168.123.98 -port 514 -protocol tcp-encrypted -facility user
-
If the
cluster log-forwarding create
command cannot ping the destination host to verify connectivity, the command fails with an error. Although not recommended, using the-force
parameter with the command bypasses the connectivity verification. -
When you set the
-verify-server
parameter totrue
, the identity of the log forwarding destination is verified by validating its certificate. You can set the value totrue
only when you select thetcp-encrypted
value in the-protocol
field.
-
-
Verify that the destination records are correct by using the
cluster log-forwarding show
command.cluster1::> cluster log-forwarding show Verify Syslog Destination Host Port Protocol Server Facility ------------------------- ------ -------- ------ -------- 192.168.123.96 514 udp-unencrypted false user 192.168.123.98 514 tcp-encrypted true user 2 entries were displayed.
See the man pages for details.