Learn about ONTAP audit logging implementation
Management activities recorded in the audit log are included in standard AutoSupport reports, and certain logging activities are included in EMS messages. You can also forward the audit log to destinations that you specify, and you can display audit log files by using the ONTAP CLI or a web browser.
Beginning with ONTAP 9.11.1, you can display audit log contents using System Manager.
Beginning with ONTAP 9.12.1, ONTAP provides tampering alerts for audit logs. ONTAP runs a daily background job to check for tampering of audit.log files and sends an EMS alert if it finds any log files that have been changed or tampered with.
Beginning with ONTAP 9.17.1, and with ONTAP 9.16.1 P4 and later 9.16.1 patch releases, remote management activities initiated from a peered cluster using cross-cluster operations can also be logged. These activities include user-driven and internal operations that originate from another cluster.
ONTAP logs management activities that are performed on a cluster, such as what request was issued, the user who triggered the request, the user's access method, and the time of the request.
Management activities can be one of the following types:
-
SET requests:
-
These requests typically apply to non-display commands or operations.
-
These requests are issued when you run a
create
,modify
, ordelete
command, for instance. -
SET requests are logged by default.
-
-
GET requests:
-
These requests retrieve information and display it in the management interface.
-
These requests are issued when you run a
show
command, for instance. -
GET requests are not logged by default, but you can control whether GET requests sent from the ONTAP CLI (
-cliget
), from the ONTAP API (-ontapiget
), or from the ONTAP REST API (-httpget
) are logged in the file.
-
ONTAP records management activities in the /mroot/etc/log/mlog/audit.log
file of a node. Commands from the three shells for CLI commands: the clustershell, the nodeshell, and the non-interactive systemshell as well as API commands are logged here. Interactive systemshell commands are not logged. Audit logs include timestamps to show whether all nodes in a cluster are synchronized.
The audit.log
file is sent by the AutoSupport tool to the specified recipients. You can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.
The audit.log
file is rotated daily. The rotation also occurs when it reaches 100 MB in size, and the previous 48 copies are preserved (with a maximum total of 49 files). When the audit file performs its daily rotation, no EMS message is generated. If the audit file rotates because its file size limit is exceeded, an EMS message is generated.
When enabling GET auditing, consider configuring log forwarding to avoid data loss due to rapid log rotation. For more information, see the following Knowledge Base article: Enabling audit log forwarding.