Audit logs
Audit log is a collection of events in a chronological order, which is written to a file within the appliance. The audit log files are generated at /var/log/netapp/audit
location and the file names follow one of the below naming conventions:
-
audit.log: Active audit log file that is in use.
-
audit-%d{yyyy-MM-dd-HH-mm-ss}.log.gz: Rolled over audit log file. The date and time in the file name indicates when the file was created, for example: audit-2022-12-15-16-28-01.log.gz.
In the SCV plug-in user interface, you can view and export the audit log details from
Dashboard > Settings > Audit Logs Tab
You can view operation audit in the audit logs. The audit logs are downloaded with the Support bundle.
If Email settings are configured, SCV sends an Email notification in the event of an Audit Log Integrity Verification failure. An Audit Log Integrity Verification failure can happen when one of the files is tampered or deleted.
The default configurations of the audit files are:
-
Audit log file in use can grow to a maximum of 10 MB
-
A maximum of 10 audit log files are retained
Rolled over audit logs are periodically verified for integrity. SCV provides REST APIs to view logs and verify their integrity. A built-in schedule triggers and assigns one of the following integrity statuses.
Status |
Description |
TAMPERED |
Audit log file content is modified |
NORMAL |
Audit log file is unmodified |
ROLLOVER DELETE |
- Audit log file is deleted based on retention |
UNEXPECTED DELETE |
Audit log file is deleted |
ACTIVE |
- Audit log file is in use |
Events are categorize into three major categories:
-
Data Protection Events
-
Maintenance Console Events
-
Admin Console Events
Data Protection Events
The resources in SCV are:
-
Storage System
-
Resource Group
-
Policy
-
Backup
-
Subscription
-
Account
The following table lists the operations that can be performed on each resource:
Resources |
Operations |
Storage System |
Created, Modified, Deleted |
Subscription |
Created, Modified, Deleted |
Account |
Created, Modified, Deleted |
Resource Group |
Created, Modified, Deleted, Suspended, Resumed |
Policy |
Created, Modified, Deleted |
Backup |
Created, Renamed, Deleted, Mounted, Unmounted, Restored VMDK, Restored VM, Attach VMDK, Detach VMDK, Guest File Restore |
Maintenance Console Events
The administrative operations in the maintenance console are audited.
Available maintenance console options are:
-
Start / Stop services
-
Change username & password
-
Change MySQL password
-
Configure MySQL Backup
-
Restore MySQL Backup
-
Change 'maint' user password
-
Change time zone
-
Change NTP Server
-
Disable SSH access
-
Increase jail disk size
-
Upgrade
-
Install VMware Tools (We are working on replace this with open-vm tools)
-
Change IP address settings
-
Change domain name search settings
-
Change static routes
-
Access diagnostic shell
-
Enable remote diagnostic access
Admin Console Events
The following operations in the Admin Console UI are audited:
-
Settings
-
Change admin credentials
-
Change timezone
-
Change NTP Server
-
Change IPv4 / IPv6 settings
-
-
Configuration
-
Change vCenter Credentials
-
Plug-in Enable / Disable
-
Configure syslog servers
Audit logs are stored within the appliance and are periodically verified for integrity. Event forwarding allows the you to obtain events from the source or forwarding computer and store it in a centralized computer, which is the Syslog Server. Data is encrypted in transit between the source and the destination.
You must have administrator privileges.
This task helps you to configure the syslog server.
-
Log in to the SnapCenter Plug-in for VMware vSphere.
-
In the left navigation pane, select Settings > Audit Logs > Settings.
-
In the Audit Log Settings pane, select Send audit logs to Syslog server
-
Enter the following details:
-
Syslog Server IP
-
Syslog Server Port
-
RFC format
-
Syslog Server Certificate
-
-
Click SAVE to save the Syslog server settings.
Change audit log settings
You can change the default configurations of the log settings.
You must have administrator privileges.
This task helps you to change the default audit log settings.
-
Log in to the SnapCenter Plug-in for VMware vSphere.
-
In the left navigation pane, select Settings > Audit Logs > Settings.
-
In the Audit Log Settings pane, enter the Maximum number of audit log files and Audit log file size limit.